Malicious PDF — malware analysis report

Static analysis result for SHA-256 67907cf06be818c8…

MALICIOUS

PDF

85.8 KB Created: 2021-03-29 22:56:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0c6270438666970ddaf53b8fb704a24 SHA-1: 2edd67cc06b522df96e4c1cd5acf7f47bdfed2f3 SHA-256: 67907cf06be818c8b270ea8359f39f1b35b8b84387755b98ae1a12f3e8a3cf35
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for phishing or directing users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URIs suggest an attempt to redirect users to potentially harmful content, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/aws?utm_term=c+language+reference+card
    • https://cdn.sqhk.co/munuluxel/5jfhjgw/amazon_fire_tv_4k_remote_app.pdf
    • https://cdn.sqhk.co/letarezetap/glkiijh/37947139217.pdf
    • https://cdn.sqhk.co/waxoxewanuvi/HnY2lhi/dead_man_walking_song_jon_bellion_lyrics.pdf
    • http://gubilof.22web.org/84081416340.pdf
    • https://cdn.sqhk.co/pitekofotada/ihbwt4a/lujopepitemetujovogefuk.pdf
    • http://myimperfectmomlife.com/dipovusigoettzg.pdf
    • http://probkin34.xyz/62442886538p1c1d.pdf
    • https://cdn.sqhk.co/dazanukisafa/apjh6jf/inseminator_game_guide.pdf
    • https://cdn.sqhk.co/losomilodip/hgPxhd6/entergy_power_outages_report.pdf
    • https://cdn.sqhk.co/bepesewutu/b3tj9G7/65651415980.pdf
    • https://cdn.sqhk.co/bulegumu/nCbjdja/zorebudagisotawesuruxifo.pdf
    • https://cdn.sqhk.co/dimusokobab/4hi1haW/long_division_worksheets_grade_6_with_answers.pdf
    • https://cdn.sqhk.co/neridisen/LjfPuia/advanced_level_mathematics_notes.pdf
    • https://cdn.sqhk.co/kixarozikej/dbiehjD/27661328082.pdf
    • http://pudevivufug.22web.org/vugozuwasorepugo.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pefogitoveni.epizy.com/64991879853.pdf
    • http://xuwomotibinifen.rf.gd/muscle_definition_workout_routines.pdf
    • https://48bf584d-d56c-45cf-b4f3-c1c05dce5274.filesusr.com/ugd/3f4b99_15e83d07d12c4a0ba819cd4eaf2dea5c.pdf?index=true
    • https://ef90beaa-bca2-431e-862c-49c19dd94618.filesusr.com/ugd/06497e_493978ddc61a487d9de85fa53a5c9d2d.pdf?index=true
    • https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_929c1683a50e48099e3947de2525b741.pdf?index=true
    • http://bosadubarelazu.rf.gd/3493873419.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f011.bin
d86cd94831a435d8271e97c9410d71283f4e1b5b5c5ede8fde6d7acc7db15128		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF011 1768 bytes
font_01_sfnt_off0000f8a8.bin
651383001e2eef6dad8adfa43074ed7c164eaf140d3bafea1df69137808ac1f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8A8 4916 bytes
font_02_sfnt_off0001096f.bin
283d378adedcb55f66abdc75c46f145eae200ff07d2298e6c39b528a1e204110		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1096F 12056 bytes
font_03_sfnt_off000132bf.bin
9a6c689bc31e60aba23285ee2bd38f31f92c250e288e6a31f557aa441b465bff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132BF 16536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.