Malicious PDF — malware analysis report

Static analysis result for SHA-256 6469c96cd33f0177…

MALICIOUS

PDF

124.0 KB Created: 2021-03-25 02:11:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17893a4a0e68ff0084cebea141bfe820 SHA-1: 5c30ef293e94fce95007206253e88b849888e943 SHA-256: 6469c96cd33f01779ef929a492ab181601851e5f25b86b8bb9fd4ff9bc74a1da
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many pointing to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely to redirect users to phishing sites or download further malware. No scripts were extracted, but the PDF structure itself is used to host and distribute these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=how+to+play+spades+joker+joker+deuce+ace
    • https://cdn.sqhk.co/woxiwovar/c5ggxhb/95735953247.pdf
    • https://vutuwoti.weebly.com/uploads/1/3/4/7/134720014/xogotofavumom.pdf
    • https://mitigifagoted.weebly.com/uploads/1/3/5/3/135325532/981c64d10ab7ae1.pdf
    • https://static.s123-cdn-static.com/uploads/4464734/normal_5ff4c5d3b5670.pdf
    • https://cdn.sqhk.co/dawadetugas/heqOhjH/67624015656.pdf
    • https://static.s123-cdn-static.com/uploads/4416504/normal_5fce0eff647a3.pdf
    • https://cdn.sqhk.co/jawuraxexije/N5fhcge/riwedibipufu.pdf
    • https://cdn-cms.f-static.net/uploads/4372105/normal_60324f2691828.pdf
    • https://cdn-cms.f-static.net/uploads/4501361/normal_5fd76e3ca26a1.pdf
    • https://cdn.sqhk.co/xagaxubibiz/eHhbhhL/milk_chocolate_chips_guittard.pdf
    • https://cdn.sqhk.co/tufuboloruj/iiIXTgg/vovusibol.pdf
    • https://cdn.sqhk.co/geruvijiwiw/2hjgchg/16921548620.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4b3b4da4-1145-40fd-8a04-0ac29766dab0.filesusr.com/ugd/6c6203_4110a85b36ed4b919b0f91fb2434aeb0.pdf?index=true
    • https://s3.amazonaws.com/mixanaz/rilifix.pdf
    • https://s3.amazonaws.com/mudurixo/85551934624.pdf
    • https://s3.amazonaws.com/julexekubaj/gitoxikizur.pdf
    • https://e0d0d77b-4c00-4265-bc22-f0cc5cf11ada.filesusr.com/ugd/957eb4_aa615c3e4662434eb6b3c03beaa45038.pdf?index=true
    • https://s3.amazonaws.com/tadevewuju/how_to_wind_a_westminster_chime_clock.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a80d.bin
ae3108e940aaa84c1c3b11fa0bff73ffc6fb9103c8f20720884d934e6e0ee7ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A80D 5360 bytes
font_01_sfnt_off0001ba73.bin
5cd54885a196343c69885d36429e348fa03bc18b53e3b6e78dac4ce0c23d1abe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BA73 11624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.