Malicious PDF — malware analysis report

Static analysis result for SHA-256 70d868c478ba8a61…

MALICIOUS

PDF

80.6 KB Created: 2021-03-11 20:54:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae7a8050fd8401aa49615b1436395f15 SHA-1: 72334c217f2534b3193c0b61e08aea850a8b273e SHA-256: 70d868c478ba8a61f4bd25a1a258025265192f87b923d661d61306e1120e5bee
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains numerous external links, with one prominent URL pointing to a suspicious domain, likely intended to redirect users to a phishing or malware site. The document body, though heavily obfuscated, suggests a lure related to iPad features, which is a common tactic for social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=how+to+turn+on+guided+access+ipad
    • https://cdn.sqhk.co/xojafimib/mHNOjjn/irunner_app_support.pdf
    • https://cdn.sqhk.co/somepizeko/fhbgfCa/free_offline_pc_games_list.pdf
    • https://cdn.sqhk.co/xoripudesew/gigVgig/ibis_paint_icon_aesthetic.pdf
    • https://cdn.sqhk.co/puzukebejas/jdvgjia/53662315277.pdf
    • https://cdn.sqhk.co/duditizonut/hi1y5gg/global_warming_causes_and_effects_slideshare.pdf
    • https://lanuwoga.weebly.com/uploads/1/3/1/6/131637333/farupu.pdf
    • https://cdn.sqhk.co/bujasugawo/hihXhbI/netiga.pdf
    • https://cdn.sqhk.co/tajixixejafi/dghYQjf/wuxanut.pdf
    • https://gipazekafasulal.weebly.com/uploads/1/3/4/6/134600210/nokelesavetexebedi.pdf
    • https://ridimejaxokixis.weebly.com/uploads/1/3/5/3/135340331/vetupiwobuxajebenimi.pdf
    • https://mozeduxazos.weebly.com/uploads/1/3/4/0/134018133/dusexizerexevu_gusuwut_soxalapo_tisilo.pdf
    • https://dakikizubebara.weebly.com/uploads/1/3/4/8/134889455/xezikavuzekeno.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://564fd4a8-0e6d-4f97-813a-a14a70c45316.filesusr.com/ugd/f90d28_f145a67207384cc2af254d9558e7bdb0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0401c769-1457-44ef-912f-b9c80de23d69/dell_venue_8_pro_hard_reboot.pdf
    • https://uploads.strikinglycdn.com/files/3246092a-c462-4e11-be10-96a140da54c5/6524993760.pdf
    • https://uploads.strikinglycdn.com/files/c3ce2648-9afb-4deb-8b91-95c7275a45c3/jorobepelenepabub.pdf
    • https://a04ad255-06d6-4b17-97e7-91173d300295.filesusr.com/ugd/6864df_0edf91dd51e44312bd10f051be35263f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8d59dd24-e710-43c4-b369-7caf09772cc2/30537041017.pdf
    • https://a7176590-a44a-43b4-8b25-1171fb6190ac.filesusr.com/ugd/e6ccb8_bd1d5c64f15f4a0f81d77c61827efb2d.pdf?index=true
    • https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_c1e8081c68514022b6df4823b49f2327.pdf?index=true
    • https://63b1f34b-4847-450f-8d9a-4788d10e1cf5.filesusr.com/ugd/451a43_edb035f7458e4742898a51612eb084bd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe3f.bin
0666a61b120855da2300f2e1bdc8d398e31e4cf898d09859c4a338a5cf28aeb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE3F 5264 bytes
font_01_sfnt_off00011048.bin
c2aff808624916e00498ace8fa05f5f3d8a12c502b282d206996a1d696f18051		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11048 11100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.