Malicious PDF — malware analysis report

Static analysis result for SHA-256 6407690d2b1130c0…

MALICIOUS

PDF

92.7 KB Created: 2021-03-15 06:55:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd1e89af6d59d4f66eca8b9afe14c167 SHA-1: 976a58014d01f95d32211e05ce4b8c9492aca881 SHA-256: 6407690d2b1130c037f850be7d57146238d5b5f2f4dd74ed72675d9a7d773c38
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics, including ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it is part of a link farm or phishing campaign. While no scripts were explicitly extracted, the presence of external links and the nature of the heuristics suggest it may attempt to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=kinemaster+mod+apk+2019+4k
    • https://static.s123-cdn-static.com/uploads/4424951/normal_5feeff9f449f2.pdf
    • https://static.s123-cdn-static.com/uploads/4484399/normal_5ff620f7d043c.pdf
    • https://cdn-cms.f-static.net/uploads/4389823/normal_60132275be105.pdf
    • https://static.s123-cdn-static.com/uploads/4380857/normal_5fc72a5857f18.pdf
    • https://cdn-cms.f-static.net/uploads/4445119/normal_604d3b3a20a62.pdf
    • https://cdn-cms.f-static.net/uploads/4428069/normal_6049208542cbe.pdf
    • https://cdn-cms.f-static.net/uploads/4459776/normal_6037054367777.pdf
    • https://cdn-cms.f-static.net/uploads/4404740/normal_60255e7f8d5be.pdf
    • https://cdn-cms.f-static.net/uploads/4379034/normal_5fd6eceb41e96.pdf
    • https://cdn-cms.f-static.net/uploads/4455886/normal_6049a6811fa4e.pdf
    • https://cdn-cms.f-static.net/uploads/4405650/normal_60224e25d0334.pdf
    • https://cdn-cms.f-static.net/uploads/4447487/normal_6010cd0808ea7.pdf
    • https://static.s123-cdn-static.com/uploads/4467322/normal_5fdf01d28a67f.pdf
    • https://static.s123-cdn-static.com/uploads/4489599/normal_5fe334c8b3f75.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/29045723-d28b-48b1-a9ce-ca3ec18e92b5/75615338216.pdf
    • https://6593eeda-10fe-4128-810f-cbbc79f0a4f8.filesusr.com/ugd/c0a4bf_3bac75476c194a79a814affd7f09faa0.pdf?index=true
    • http://zukagebogewivur.epizy.com/verizon_router_upnp_settings.pdf
    • https://b5f169ef-6bcf-4d19-a24b-32bdc9dd7a5f.filesusr.com/ugd/2e79a6_fb91a3a4f7254023ac07fc5875d2140d.pdf?index=true
    • http://bupagiji.epizy.com/rotatewo.pdf
    • http://rapuxatidugek.epizy.com/manualidades_con_botellas_de_plastico_faciles.pdf
    • https://uploads.strikinglycdn.com/files/02b7a64f-dcd7-40c1-95b3-e06e744ee704/national_boy_scout_office_irving_texas.pdf
    • https://uploads.strikinglycdn.com/files/69baad33-0310-45d5-98b7-0c4e811fd632/72105145017.pdf
    • https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_fab5f46127194bf3b09e7e75c858022a.pdf?index=true
    • https://16564176-4c62-44d7-82e3-1dea6b832d73.filesusr.com/ugd/5e57cf_dee2e9f955b94a06b5bde2cccb0acec4.pdf?index=true
    • http://duguzikazom.rf.gd/tawny_man_trilogy_download.pdf
    • https://uploads.strikinglycdn.com/files/73e91e00-0015-4598-afb7-9bc584df3155/zefosaj.pdf
    • https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_3948935d5f654fc68cfd8973f9bf8d24.pdf?index=true
    • http://zokugapifixi.rf.gd/29152795016.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012c1b.bin
f254f8d1fddf47b2e78aeaa3be05974cff6ffffe1a341341a703fb8ea7939585		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C1B 5676 bytes
font_01_sfnt_off00013f51.bin
0cabd8bbc5170239fb8afd8c36d740662e1ec1e7b9bed218ce247f884b41bb52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F51 11160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.