Malicious PDF — malware analysis report

Static analysis result for SHA-256 71d7737e9448c59d…

MALICIOUS

PDF

81.8 KB Created: 2021-06-10 20:07:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c470bd91391e94d072f73ae1e0987ae SHA-1: dddde9148ed867d5457147d7360ae42a468d2c67 SHA-256: 71d7737e9448c59d05e85bd78032412b2ea9616e5025a5a27deb35def73756c4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The presence of a large number of external links, including one pointing to a potential link farm, suggests an attempt to redirect users to malicious sites or for SEO manipulation. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, but no clear user-facing text. No scripts were extracted, but the PDF structure and link farm heuristic indicate a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=how+many+calories+is+a+caramel+macchiato+with+almond+milk
    • https://rulipativix.weebly.com/uploads/1/3/1/6/131607363/c8bece7b99.pdf
    • https://sufosuzupunu.weebly.com/uploads/1/3/1/3/131379650/eb8120089eaefa.pdf
    • https://sowuritujozefa.weebly.com/uploads/1/3/4/6/134621612/tebuzivu_zatikelefo_wuxul.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://mizunebapod.pbworks.com/w/file/fetch/144720273/vizoredemaledij.pdf
    • https://uploads.strikinglycdn.com/files/1d6bd03e-b40a-41f3-b3a2-ec9183e4d1f9/what_is_the_best_atf_4_transmission_fluid.pdf
    • http://vimadutukad.pbworks.com/w/file/fetch/144919017/29505733318.pdf
    • https://uploads.strikinglycdn.com/files/053b0955-2f64-4e6a-bb1e-9d2b69cb7a77/nozisibinamesu.pdf
    • https://uploads.strikinglycdn.com/files/15c6d55a-b325-4be9-a6df-02b6a2345857/created_shared_value_businesses.pdf
    • https://uploads.strikinglycdn.com/files/d5ae4930-766f-4611-a75c-c3807daaf54e/math_1_systems_of_equations_and_inequalities_practice_test_answer_key.pdf
    • http://bekivuxuga.pbworks.com/f/what_is_a_manual_handling_risk_assessment.pdf
    • https://uploads.strikinglycdn.com/files/88dcff6c-c402-4220-8623-59830c551254/pebamibojitupus.pdf
    • http://mudowomuxexo.pbworks.com/w/file/fetch/144424335/fejunorogikewujuto.pdf
    • http://fevawigo.pbworks.com/w/file/fetch/144666063/54110345339.pdf
    • https://uploads.strikinglycdn.com/files/08446179-02ff-49fe-822f-fc77343f30d2/twilight_full_movie_online_free_2008.pdf
    • https://uploads.strikinglycdn.com/files/e845352c-3246-403e-9e71-6e7e6fe30d45/hansel_and_gretel_get_baked_full_movie.pdf
    • https://uploads.strikinglycdn.com/files/f011ff2a-6a3d-49c0-98ff-315bee273143/what_is_the_recovery_time_for_cubital_tunnel_surgery.pdf
    • https://uploads.strikinglycdn.com/files/3c74ae47-5472-46ca-9b6c-a01f04635d51/xabinet.pdf
    • https://uploads.strikinglycdn.com/files/94272a6b-1424-482d-8690-3d5c42c7a843/suzuki_sidekick_body_lift_kit.pdf
    • http://serizedez.pbworks.com/f/how_to_stretch_a_groin_strain.pdf
    • https://uploads.strikinglycdn.com/files/e1277153-3c76-453f-8d1d-d634dede063a/how_much_does_a_starbucks_mastrena_cost.pdf
    • http://paditoxef.pbworks.com/w/file/fetch/144887256/organic_rearrangement_reactions.pdf
    • http://pusavivo.pbworks.com/f/12815815460.pdf
    • https://uploads.strikinglycdn.com/files/55b0a353-b16f-462a-a248-2647bcfb54d1/summertime_saga_0.19_0_apk_download.pdf
    • http://jujirafamena.pbworks.com/w/file/fetch/144889365/harry_potter_and_the_goblet_of_fire_eng_sub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f37e.bin
ad2f7b3bbd5600178d4fa1388607c151b03708436ecc42ab25bbdfb234eab52f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF37E 5184 bytes
font_01_sfnt_off000104fa.bin
0d3dd6501b084b429aebc86d8002c51f681c6dd2ce55cb5998cfcc9870d8d7d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104FA 11132 bytes
font_02_sfnt_off00012b12.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B12 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.