Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e436d39f88568b4…

MALICIOUS

PDF

87.9 KB Created: 2021-03-23 08:04:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36ae84723f44ab5f00ed9a08923c9003 SHA-1: e5bbf54bbfedce319b9f3c222722fa4682c4a7c5 SHA-256: 6e436d39f88568b448f3f044d03f1437b8af83f6c806979e114f6e9e5aa80d33
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, suggesting it is part of a link farm or SEO manipulation scheme. The 'SE_CALLBACK_LURE' heuristic indicates the document's content is designed to trick users into calling a fraudulent number, typical of tech-support scams or callback phishing. While no scripts were explicitly extracted, the presence of external links and the ML classification strongly suggest malicious intent, likely to redirect users to phishing sites or initiate fraudulent calls.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9925

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=ninja+kitty+pubg
    • https://cdn-cms.f-static.net/uploads/4493610/normal_60404f4b01fc4.pdf
    • https://static.s123-cdn-static.com/uploads/4382952/normal_5ff678542b0af.pdf
    • https://cdn-cms.f-static.net/uploads/4366408/normal_602645f722ca4.pdf
    • https://cdn-cms.f-static.net/uploads/4420430/normal_60349a9125801.pdf
    • https://static.s123-cdn-static.com/uploads/4391634/normal_5ff9f396cf5c2.pdf
    • https://static.s123-cdn-static.com/uploads/4456399/normal_5ffac482b1e5f.pdf
    • https://cdn-cms.f-static.net/uploads/4476273/normal_601ad4178bcb8.pdf
    • https://vakalebixop.weebly.com/uploads/1/3/5/3/135339933/rusimosumugumiwiveju.pdf
    • https://cdn.sqhk.co/sulubejes/hdijNic/ship_games_simulator_professional_v2._0.pdf
    • https://static.s123-cdn-static.com/uploads/4410433/normal_5ff79cb042fe2.pdf
    • https://cdn.sqhk.co/zowonefaso/euiaiod/real_driving_simulator_mod_apk_download_for_android.pdf
    • https://safalijig.weebly.com/uploads/1/3/1/0/131070993/jeguxiw-denuvotuw.pdf
    • http://autobuff.xyz/950962021xlhdb.pdf
    • https://jiwosanoxonu.weebly.com/uploads/1/3/5/2/135299962/401850380a.pdf
    • https://cdn-cms.f-static.net/uploads/4379959/normal_604d4e6bb6e46.pdf
    • https://cdn-cms.f-static.net/uploads/4447107/normal_6051b02004dc1.pdf
    • https://static.s123-cdn-static.com/uploads/4413703/normal_5ff5412936986.pdf
    • https://cdn-cms.f-static.net/uploads/4416921/normal_6047d0877b6b0.pdf
    • http://8bitbeardsco.com/best_blues_guitarists_of_all_time_listw2rmd.pdf
    • https://cdn-cms.f-static.net/uploads/4482228/normal_604786b517ea9.pdf
    • https://wodirukuz.weebly.com/uploads/1/3/5/3/135398055/8a2ebd07fbd7.pdf
    • https://cdn-cms.f-static.net/uploads/4389376/normal_604cda9329be9.pdf
    • http://daating19.site/16006930097vuwxx.pdf
    • https://bagekitavaseb.weebly.com/uploads/1/3/1/0/131070055/1569401.pdf
    • https://cdn.sqhk.co/jigavozef/iaiaXjj/dynamixel_workbench_position.pdf
    • https://static.s123-cdn-static.com/uploads/4420610/normal_5fced34c2db38.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000fbec.bin
c9ba67061487d233d5cad69bc8357d1b83d7b7974d864a7f7d540ad8357adade		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFBEC 8272 bytes
font_00_sfnt_off0000eaa8.bin
771b413a2d5568768baca53a715416f58ac40ce16dca574891d93f6e96978f4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAA8 5032 bytes
font_02_sfnt_off00011809.bin
d3eaf8a53bdcb97b5182ff580328e68a787ced0780f1c5d8bcd38dc81864844d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11809 10660 bytes
font_03_sfnt_off00013c6d.bin
676a6f9980301d650ad9b511319da6dac9fff4f77c228169d287e5253a078183		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C6D 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.