Malicious PDF — malware analysis report

Static analysis result for SHA-256 73a534b610907caa…

MALICIOUS

PDF

69.1 KB Created: 2021-03-30 06:30:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91a886bd15ddaf1f55f01b41e5dfa131 SHA-1: c934ef599ccd7e2723d93da1edbe9cc651b24c33 SHA-256: 73a534b610907caa9707fff6453d28cfa7f5d6e47c0f8a61e485c6a98f88f0d6
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, as indicated by the 'PDF_SEO_LINK_FARM' heuristic and the presence of numerous external URLs. The ClamAV detection and ML classifier further support its malicious nature. The document likely aims to direct users to malicious websites or download further payloads through the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9959

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=design+handbook+1987+associated+spring+pdf
    • https://cdn.sqhk.co/kinibemazoz/dUhihjr/superhero_mobile_ringtone_download_2019.pdf
    • http://kerutugizuxig.mygamesonline.org/pdf_voice_reader_for_iphone.pdf
    • https://cdn.sqhk.co/buzovegom/ja0oPgc/sizonezonefuxixajuguvupi.pdf
    • https://cdn.sqhk.co/pozedezupase/bjgmgib/free_qr_code_scanner_for_windows_10.pdf
    • https://cdn.sqhk.co/runetonorox/ijhm0hj/cheluvina_chittara_video_song.pdf
    • http://kizunawinim.getenjoyment.net/agenda_21_mexico.pdf
    • https://cdn.sqhk.co/nevupediwix/jjehbid/star_trek_timelines_guide.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://297de083-771a-4730-a3b8-a2afe8c7d209.filesusr.com/ugd/47424f_d59b59104f7c4f39b029b0870073a7c1.pdf?index=true
    • https://s3.amazonaws.com/bomupi/how_to_hook_up_dvd_player_to_tv_with_cable_box.pdf
    • https://s3.amazonaws.com/gixawetopoli/faxujilujonudedivusurubi.pdf
    • https://s3.amazonaws.com/tugabijenovili/wawogarub.pdf
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_232cb557a6f74321ae665b674f36cdea.pdf?index=true
    • https://7f58a6d3-5723-489e-a2bd-17fd91e1ddd5.filesusr.com/ugd/655495_0fdc56ff340045578ff1fcf667249bda.pdf?index=true
    • https://s3.amazonaws.com/genedesowul/murajegatu.pdf
    • https://8c1dc56a-a131-4b43-acff-3635b9115217.filesusr.com/ugd/90423f_1cd1b7b9e2a84d87b5636130209c6724.pdf?index=true
    • https://f3dbd103-cf2f-44fc-b0ad-c9004dc38af2.filesusr.com/ugd/1f2646_6a2f2e54fdaa41d7a21e56471d79990c.pdf?index=true
    • https://s3.amazonaws.com/sefipa/ruromejirafoxit.pdf
    • https://s3.amazonaws.com/pafiganovavi/canon_pixma_mx922_inkjet_cartridges.pdf
    • https://s3.amazonaws.com/palevijuj/web_hosting_contract_template.pdf
    • https://6184de0c-c318-42a7-882e-c5ddc63b817d.filesusr.com/ugd/1c8c1e_e36339cb320947cf8c5bcdf5d8034675.pdf?index=true
    • https://s3.amazonaws.com/robumuduluwise/55591660179.pdf
    • https://108bb973-5399-4bf7-a70e-a18780752cac.filesusr.com/ugd/760a88_7eb9af19627749dd941831782d8e10bd.pdf?index=true
    • https://4e16d9da-0927-4957-8a4e-4544605d6055.filesusr.com/ugd/d7e550_1cd94790a8e24207971296284734b3a5.pdf?index=true
    • https://6eed613e-cbae-405e-b458-9655ef9033f8.filesusr.com/ugd/e4f6f0_b46b084980314377be9cf32d1717228f.pdf?index=true
    • http://mujebik.atwebpages.com/acta_constitutiva_de_una_sociedad_anonima_de_capital_variable.pdf
    • https://20996a60-9695-4f45-8fdb-44bdc783da55.filesusr.com/ugd/c57cae_adde4441ff2b44b2b48d4c16938356a9.pdf?index=true
    • https://s3.amazonaws.com/nawosineromigi/86037766092.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf9a.bin
c2058d4fc2c2bde7fbfe758cfbd7efac3bab4d181cc2feefcdcf5221980ae7d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF9A 6068 bytes
font_01_sfnt_off0000e445.bin
cf6c58ebfd6cce61a4275e475cb267388a0d23a7e63f5404e132c4da05ca09bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE445 9996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.