Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f7d8eb899f451aa…

MALICIOUS

PDF

81.4 KB Created: 2021-03-15 17:34:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c12ce79bb583fa36098e2892d1df8eac SHA-1: d4dbbbdd7b9ceccb00fd283b0c698897235406e2 SHA-256: 6f7d8eb899f451aafc3742fdbf4da0bdec8dc50dddf8644c9d6964969468000e
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged as malicious by ClamAV and an ML classifier. It contains numerous external links, with one specifically pointing to a URL associated with phishing. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may be part of a multi-stage attack involving encrypted payloads, and 'SE_CALLBACK_LURE' indicates a potential callback phishing or tech-support scam pretext. The presence of embedded URLs further supports the phishing or malicious redirection attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/aws?utm_term=driver%2527s+license+number+nj+probationary
    • http://pumujavebedopa.iblogger.org/vpn_ios_6.pdf
    • http://lalexejiwisejul.iblogger.org/sojimuriwena.pdf
    • https://repemokalit.weebly.com/uploads/1/3/1/8/131856723/rekefaloxuf-lutejakab.pdf
    • http://pojezer.iblogger.org/firefox_portable_47_free.pdf
    • https://dafavazama.weebly.com/uploads/1/3/4/8/134893815/19df879b24.pdf
    • https://xumomeroruv.weebly.com/uploads/1/3/4/2/134266579/dabiw_bajasawelinez.pdf
    • https://cdn-cms.f-static.net/uploads/4454281/normal_5fe9b7a14c294.pdf
    • https://fabapetabi.weebly.com/uploads/1/3/4/6/134687037/lizilo_moruruni.pdf
    • https://xalifabosivibu.weebly.com/uploads/1/3/0/7/130775217/4492364.pdf
    • https://cdn-cms.f-static.net/uploads/4375891/normal_603fa78a352c9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bekisamusexasu.rf.gd/bethel_music_victory_album_free.pdf
    • https://uploads.strikinglycdn.com/files/8e25a681-a065-4c75-8323-f7f0d0fd4c6a/avaya_one-x_softphone_call_forwarding.pdf
    • https://uploads.strikinglycdn.com/files/dd3e27b7-8e39-4dd3-9e88-732c3d5a040b/adt_wireless_monitoring_cost.pdf
    • https://uploads.strikinglycdn.com/files/871f6c0a-939f-4756-89cf-17527fb30745/81673160014.pdf
    • https://uploads.strikinglycdn.com/files/650ca67e-ccc1-4499-9c5b-d8af5af47dd5/finimudomisojafupuza.pdf
    • https://s3.amazonaws.com/remuv/41068083581.pdf
    • https://uploads.strikinglycdn.com/files/c367fdc3-4258-4c86-ae17-709a77254008/95863188873.pdf
    • https://uploads.strikinglycdn.com/files/049819be-8980-4c05-8a56-1fb349ddf3b7/how_to_fix_mouse_problems.pdf
    • https://uploads.strikinglycdn.com/files/6ff568b6-5587-4c3d-af00-e975f39cf217/2004_honda_odyssey_power_steering_fluid_leak.pdf
    • https://s3.amazonaws.com/megodipewukitoj/functional_analysis_yosida.pdf
    • https://uploads.strikinglycdn.com/files/36d3a1d9-bfb4-4c5d-81a5-5ff8e016c3be/18105653535.pdf
    • http://nugafafekovad.epizy.com/asuran_bgm_ringtone_songs.pdf
    • https://uploads.strikinglycdn.com/files/c6bbb306-3674-4e68-aced-cea5cfc8fa3e/how_much_does_gre_exam_cost.pdf
    • https://uploads.strikinglycdn.com/files/1c84a826-ea34-41fa-86b2-6efddf05fa0f/ode_to_aphrodite_sappho_analysis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff0d.bin
a0c41a91a71b6663984941f4e067610a7fbad78773e2da51a821745a7636a153		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF0D 5492 bytes
font_01_sfnt_off000111be.bin
e7238c2b02373cc939dce7253819c34518e655ce9969caede4329abd363db708		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111BE 11200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.