Malicious PDF — malware analysis report

Static analysis result for SHA-256 7372b1269eed9472…

MALICIOUS

PDF

73.0 KB Created: 2021-03-19 08:50:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 186cd79540c0e6210d6c293dd6be6301 SHA-1: 67cbc8f131e5d40990fab666e78c300fc23aaa89 SHA-256: 7372b1269eed94727910272fc40513f155218a734e1b93f7dfcd3c2313d61e10
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, suggesting a phishing or malicious redirection attempt. The embedded URLs point to suspicious domains, likely serving as landing pages for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=alto%2527s+lament+zina+goldrich
    • http://skidki-day.shop/humanscale_m2_manualrzstl.pdf
    • https://gonotelavekufuf.weebly.com/uploads/1/3/4/6/134615299/88492408ca1f5b6.pdf
    • http://sowoxapexemex.sportsontheweb.net/how_to_change_ink_in_canon_mp11dx.pdf
    • https://dejaxunex.weebly.com/uploads/1/3/4/3/134318563/gabomemixenunem-ruwebudenazasuz-fubepi-semore.pdf
    • http://dusanaputojinon.mygamesonline.org/steelers_schedule_2020.pdf
    • http://losqutoq.online/vojemupoayysr.pdf
    • https://wojamoze.weebly.com/uploads/1/3/4/4/134479738/8366628.pdf
    • https://cdn-cms.f-static.net/uploads/4421336/normal_5fd1c3818d6f9.pdf
    • http://axecheat8.xyz/85191698333dzx8o.pdf
    • https://xawizavikerid.weebly.com/uploads/1/3/4/5/134525990/4322278.pdf
    • https://lukogazusewof.weebly.com/uploads/1/3/4/6/134643336/e51f769f61a8.pdf
    • http://suvuxivenorum.mypressonline.com/soserukefisipige.pdf
    • https://nizidisifa.weebly.com/uploads/1/3/4/5/134505067/db2d9b49.pdf
    • https://mugibamarenov.weebly.com/uploads/1/3/4/1/134109107/jonivipobokos_vemivo_nosovajepula_gojeti.pdf
    • https://betivina.weebly.com/uploads/1/3/0/7/130774994/75dc8e1.pdf
    • https://loxujuzif.weebly.com/uploads/1/3/4/3/134368844/mululadutofakozev.pdf
    • http://saduzemed.mypressonline.com/98062003007.pdf
    • https://cdn-cms.f-static.net/uploads/4451544/normal_603a4a0dc5515.pdf
    • https://manoxumumaxu.weebly.com/uploads/1/3/4/4/134472756/wapumutobav-banepag-berot-rebege.pdf
    • https://dopeziporop.weebly.com/uploads/1/3/0/7/130739225/984299.pdf
    • http://matras-24.ru/does_a_maytag_front_load_washer_have_a_filterlqvhe.pdf
    • http://wimuzawoxi.getenjoyment.net/25125749532.pdf
    • https://cdn-cms.f-static.net/uploads/4452837/normal_6045c7ece1833.pdf
    • http://sollabs.xyz/tunufolideludifaweme79txm.pdf
    • https://zuwiwenulabir.weebly.com/uploads/1/3/1/3/131381762/dunotebixe.pdf
    • https://xujoxufopugapes.weebly.com/uploads/1/3/1/3/131380539/vojagibefenipezu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df46.bin
eadc936672a795a2dd4a1369fa980b478e0032e466cfdf96549da574e0139dc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF46 5424 bytes
font_01_sfnt_off0000f19b.bin
4266f9d11081260736d587ba6a6c902fddf5066c0762f945b8c45ad1328ad64c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF19B 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.