Malicious PDF — malware analysis report

Static analysis result for SHA-256 60f97661b986ea23…

MALICIOUS

PDF

100.7 KB Created: 2021-03-29 04:04:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa9bb0069eb1f402a5fd6da47ad803b1 SHA-1: 4897350539fe4702b2def45e8e58ac616441a38f SHA-256: 60f97661b986ea239e38eb457e2fc28ac128da65beab69974f5ceb654bf95d07
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a suspicious domain associated with phishing. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect users to a malicious site for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=la+casa+de+los+espiritus+libro+resumen
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_859b230803a34353968d429c0f2300f6.pdf?index=true
    • https://s3.amazonaws.com/juvosi/kurivixipozesusapag.pdf
    • https://uploads.strikinglycdn.com/files/db58a23e-6ea9-4306-9928-36d74a8d1d26/graham_hancock_supernatural_review.pdf
    • https://s3.amazonaws.com/sedowedi/ib_grade_5_math_textbook.pdf
    • https://fad58b31-c538-4d3f-828d-7998eec853b9.filesusr.com/ugd/7e6083_02ebc4f8b4514c498f6ad9c48b2f5108.pdf?index=true
    • https://s3.amazonaws.com/wutisigila/converse_70s_size_guide.pdf
    • https://uploads.strikinglycdn.com/files/73aecdc5-b35a-4b85-a4ff-4f786cbaea8c/what_are_the_listening_skills_in_english.pdf
    • https://2fe0a9f4-4d23-48c4-8711-d5fb25093877.filesusr.com/ugd/683a75_42a4213ca8884a70870c1a2d3c817864.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b67c5b45-07bd-48d8-8b0d-64848d33ae05/suvigamudimebobosonofo.pdf
    • https://7f1d4f38-7308-4051-b389-b8ed31312188.filesusr.com/ugd/e948c1_8793f5e4f4304ee1a709078a1b1e2f22.pdf?index=true
    • https://s3.amazonaws.com/dukajevo/belgium_visa_online_form.pdf
    • https://uploads.strikinglycdn.com/files/5212d110-a3f2-4f7a-b76d-4db552cfa395/mokeduwe.pdf
    • https://s3.amazonaws.com/sedowedi/mis_report_in_excel_interview_questions_answers.pdf
    • https://s3.amazonaws.com/libowebujakux/pasteurization_and_sterilization_of_milk.pdf
    • https://s3.amazonaws.com/zamuriza/angular_5_dashboard_template_free.pdf
    • https://s3.amazonaws.com/fonazuzixagizir/unit_1_acquisitive_arrogate_banal_answers.pdf
    • https://uploads.strikinglycdn.com/files/bddafc14-54aa-4cb2-8f8e-fa31d95f49df/76510765355.pdf
    • https://s3.amazonaws.com/fifomi/4262170945.pdf
    • https://s3.amazonaws.com/makixibawumebol/beyblade_burst_app_apk.pdf
    • https://uploads.strikinglycdn.com/files/e1a4dce8-748b-4287-a1f1-5731e25063a9/matlab_2019b_mac_os_download.pdf
    • https://s3.amazonaws.com/tazibabebamep/accp_chest_guidelines_atrial_fibrillation.pdf
    • https://9e7b01ce-91ce-414a-93c5-ade8df4b7359.filesusr.com/ugd/cfbfd2_9374e8a5abc843d08256de995da60464.pdf?index=true
    • https://s3.amazonaws.com/kewakuko/55401890964.pdf
    • https://uploads.strikinglycdn.com/files/81468d41-a9f8-4a50-ac9a-3cc57a70136b/6.0_powerstroke_egr_delete_kit_with_oil_cooler.pdf
    • https://uploads.strikinglycdn.com/files/4eb7baf4-1355-4a45-a4ff-cd3bb0e12384/44834620925.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013ac8.bin
d61e9d1c161d67702d26013f3980099fd13ca833359c087c1b7515435de35243		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13AC8 5184 bytes
font_01_sfnt_off00014c3b.bin
1594177457e573a447fa6366fd86eeee23ef28810fea7b241a02dc6a2908ed53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C3B 12680 bytes
font_02_sfnt_off000174f7.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x174F7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.