Malicious PDF — malware analysis report

Static analysis result for SHA-256 7293f6734393b9cb…

MALICIOUS

PDF

72.7 KB Created: 2021-03-20 01:49:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 65eb9a8f33b5f5c5dd11d98fc3c27fe7 SHA-1: 7ee46e849251a826dd349e5571aad674c848ed6c SHA-256: 7293f6734393b9cb220c67373bf2c8e6d5f1ae26ec9c1f38b64c998c68d8b5db
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It functions as a link farm, containing numerous external URLs that likely lead to malicious content or phishing sites. The presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest an attempt to lure users to external resources, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=head+first+javascript+programming+-+o%2527reilly+%25282014%2529+pdf PDF link annotation
    • https://kusovagojevo.weebly.com/uploads/1/3/4/8/134883394/8bdbf37584790.pdfIn PDF document text
    • https://kobalogowitat.weebly.com/uploads/1/3/0/7/130776452/fukufenike.pdfIn PDF document text
    • http://strgb2.ru/monster_hunter_stories_subquest_guidufjii.pdfIn PDF document text
    • http://barbanapoli.moscow/wild_bloodstinger_hunter_deckl5xdc.pdfIn PDF document text
    • https://jedexapotup.weebly.com/uploads/1/3/4/4/134472831/risobinifezopo-magomi-geleb.pdfIn PDF document text
    • https://cdn.sqhk.co/purilusevike/hPgcOgl/heroic_magic_duel_hack_download.pdfIn PDF document text
    • http://mpvideo.org/513655282157u0nb.pdfIn PDF document text
    • https://cdn.sqhk.co/rapowipijes/jaii1Vd/mandalorian_bebe_yoda_mobile_wallpaper.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_7dcc3aa5cff2456bba30a9831c00401a.pdf?index=trueIn PDF document text
    • https://62dace35-232c-43a2-b3e8-6cf19ad57148.filesusr.com/ugd/42ae31_78cea4ab48c6491aa6927d5dfe4aa4ce.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zidenigad/14736798210.pdfIn PDF document text
    • https://s3.amazonaws.com/jixerubowi/the_subtle_knife_hbo_release_date.pdfIn PDF document text
    • https://11ab4cf5-156d-4417-99e9-5039b2a7eb5f.filesusr.com/ugd/82d61e_62ae4789728f484ba194a98e5d9ebd2b.pdf?index=trueIn PDF document text
    • https://911f1565-2faa-4874-b261-330d521e7362.filesusr.com/ugd/f46427_73029fc04d4448e6ad9ce9aabb9d077d.pdf?index=trueIn PDF document text
    • https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_0b728742f85b47d9a3db7d3e07d3e4aa.pdf?index=trueIn PDF document text
    • https://94aa8f26-b07a-4c24-bdb4-4112657565c9.filesusr.com/ugd/37428b_58354a40def845db81a12bebbb56c3ee.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA1D 6308 bytes
SHA-256: ab0a52d67f8255c09ea6596efda8a7d3d6fe0b4035f89d0ccf6fdee3a6e860ed
font_01_sfnt_off0000efc1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFC1 10928 bytes
SHA-256: 5d9062a39dc8965548ac2bb82577b540085f3574fbc5ec31bedf0c960a78ebe7

Open this report in the interactive analyzer, or submit your own file for analysis.