Malicious PDF — malware analysis report

Static analysis result for SHA-256 6eee443da35c296a…

MALICIOUS

PDF

76.8 KB Created: 2021-04-25 03:46:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 522e3f448737bebab6dbe7128036ab90 SHA-1: 4ac91a077ee59e38890b883c9a944f5526d359f6 SHA-256: 6eee443da35c296aaa8a520fe08267b9a63ddce4334def680be282939717c9c7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a malicious intent to redirect users. ClamAV and ML classifiers also flagged this file as malicious, specifically as a phishing trojan. While no scripts were directly extracted, the PDF structure and link farm indicate a likely attempt to deliver malicious content or phish credentials via the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=does+aetna+insurance+cover+couples+counseling
    • http://xunarepozufuz.mygamesonline.org/body_movement_worksheet.pdf
    • https://cdn.sqhk.co/zapajugadira/hdZZNDv/toxunozufiteliten.pdf
    • http://pidijajuwupurop.medianewsonline.com/98958954517.pdf
    • http://mutujejeturuduf.medianewsonline.com/tuxifegelaji.pdf
    • https://cdn.sqhk.co/gozolosew/he5ibkw/chocolate_pudding_cake_recipe_from_scratch.pdf
    • https://cdn.sqhk.co/zidexamuwela/RVt6hiJ/dumper_hack_ios.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b23183eb-b2e5-455e-bc25-91fac1efd10f.filesusr.com/ugd/cc14e4_fba5e350811a428dafbfa5bb61dcfbe0.pdf?index=true
    • http://wuwedilejom.myartsonline.com/kingdom_man_tony_evans_movie.pdf
    • https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_cc21eedd6acc491096acfd87a8dc8ea5.pdf?index=true
    • http://rurebafib.onlinewebshop.net/lojosed.pdf
    • https://ebc1add8-0b9d-418e-9e4a-1e287827e933.filesusr.com/ugd/ab63e3_7cbceeb159424ac299aa7d102666681e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/693081db-de8d-44e4-bdab-9e887384f77a/56270811549.pdf
    • https://8316a071-1c81-4729-bbc9-bb84f51c1359.filesusr.com/ugd/b2ba6b_23c6e5ab44c54ca68ad17fbe8ef5c1d1.pdf?index=true
    • https://4c80ca50-31de-4e6f-b265-471620011c4a.filesusr.com/ugd/08c6b7_1b13663978b44ca18c00019b70e11b6f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d463cddd-78a8-4e7a-84b8-18e2b189a730/rhonda_byrne_the_secret_book_review.pdf
    • https://83372c7a-1065-4b07-8284-b64562b46e84.filesusr.com/ugd/035489_ae72201afdd548389edfb3afbcf64f1d.pdf?index=true
    • https://e4c06157-4c4c-4c30-848d-1ce07482e123.filesusr.com/ugd/99e070_7a68be6ebe5145e2b34c04f67ee3baff.pdf?index=true
    • https://f635e5d9-31b1-4f19-b758-7a623be10181.filesusr.com/ugd/6cf0f5_b07baf7961f94d5499d508818732fa18.pdf?index=true
    • https://8d90b851-447f-4cfc-ac95-1e867b71b983.filesusr.com/ugd/b371d9_96f264d8779f4c679f9fabdfc1015ab9.pdf?index=true
    • https://c1e70603-6ca1-47bc-880b-b60d7d434995.filesusr.com/ugd/df625d_cab606fadf70465e8929a09da49caba7.pdf?index=true
    • https://76b44699-1094-4fd8-8d4a-70b7be8159c3.filesusr.com/ugd/c450b2_f8c51aedf6d642a6850cdfae7afa6219.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4044a313-2813-4910-a0f5-3ca4065a0633/modelo_de_contrato_de_alquiler_de_casa_puerto_rico.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edd2.bin
4b44a64744249b0f22d08b9b25eeee48ded36a6c9064b78f75f9ff7ac0475e05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDD2 5160 bytes
font_01_sfnt_off0000ff84.bin
831a564b4f328220a9375a32715652fadd19276258d18ca715fcada6876540af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF84 10792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.