Malicious PDF — malware analysis report

Static analysis result for SHA-256 7097f04d9b0bbbc7…

MALICIOUS

PDF

100.4 KB Created: 2021-03-15 02:37:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ab1bfe56ab0849e8b029833fe483065 SHA-1: e0aa11ca2c6b647146a1fad0092ed1f012de048c SHA-256: 7097f04d9b0bbbc7191758e478000504c5ce589ea9b6a4a2fa8c08876c6b7605
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to suspicious domains and are presented in a way that mimics search results for academic papers. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect the user to malicious content, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=ssc+stenographer+previous+year+question+paper+pdf+download
    • https://static.s123-cdn-static.com/uploads/4497359/normal_5fe27372abaf1.pdf
    • https://kuxilididid.weebly.com/uploads/1/3/4/3/134387830/4e400ea2ec.pdf
    • https://cdn.sqhk.co/kejopala/giajapx/4806905333.pdf
    • https://cdn.sqhk.co/sedazozesufu/gaeOjgk/zokaletowurod.pdf
    • https://static.s123-cdn-static.com/uploads/4377697/normal_5fec171436d86.pdf
    • https://cdn.sqhk.co/kibizatududo/hjxhcGX/50649044430.pdf
    • https://cdn.sqhk.co/vibisidumes/hegfmgj/93736026843.pdf
    • https://cdn.sqhk.co/nefakovuwot/NOhhUnB/95517826465.pdf
    • https://cdn.sqhk.co/xovinexesun/hbE6ieJ/6352893566.pdf
    • https://cdn.sqhk.co/sunomedude/jjdiigf/sniper_elite_4_switch_amazon.pdf
    • https://cdn.sqhk.co/remonupode/hcNGhhO/68822789668.pdf
    • https://jepuderakemuso.weebly.com/uploads/1/3/4/6/134666912/9424686.pdf
    • https://napemoxirakula.weebly.com/uploads/1/3/4/6/134682748/bffdcd0a.pdf
    • http://moymagazin.xyz/run_less_run_faster_reviewlo9fx.pdf
    • https://cdn-cms.f-static.net/uploads/4408991/normal_602baa1f0cb23.pdf
    • https://nixemuro.weebly.com/uploads/1/3/5/2/135299514/natazunuv_melogaxarijo.pdf
    • https://cdn.sqhk.co/busumodofu/Tiagdse/juvamalaro.pdf
    • http://com-login8.xyz/73193855895bn9.pdf
    • https://cdn-cms.f-static.net/uploads/4475570/normal_5fe98ee743e8a.pdf
    • https://cdn.sqhk.co/zuzikewed/RrMignr/arena_stage_diagram.pdf
    • http://the-glow.ru/gixagurhka3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://6cdf8c5e-36a0-4b6d-987f-32d3d50030cd.filesusr.com/ugd/3c2e2e_3bb2bad395ea4922aa74eb81b4b33f53.pdf?index=true
    • https://a0f88182-e1f9-4a9c-ba22-d5ce004c6985.filesusr.com/ugd/2f3216_57a0aad1bf184d98a6cae639249a0f53.pdf?index=true
    • https://709e7e89-b264-4d73-b757-064736ed86f1.filesusr.com/ugd/f523c3_82ff872ccfce4c5c91a02231d6a3d09d.pdf?index=true
    • https://0c6b7a74-1ca0-41da-943c-c268a208a416.filesusr.com/ugd/fef373_22945d4b29b34bfd914275e9e1b6304a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000111e8.bin
6b937ce55fd4290eb199b4180b0bbb6a8bef4138d1121908335cbc1903dec1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111E8 5900 bytes
font_01_sfnt_off00012605.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12605 3720 bytes
font_02_sfnt_off00013168.bin
df90138a4a113241f4a9e1f01b096fa3855badba1f8d59e13f6f84a576964ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13168 10828 bytes
font_03_sfnt_off000156b0.bin
f0160b32723e50450eeae1693635dfaf20dd85a093456444d09980558afdb9d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x156B0 14988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.