Malicious PDF — malware analysis report

Static analysis result for SHA-256 7470a5fac077178b…

MALICIOUS

PDF

86.7 KB Created: 2021-03-16 00:22:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5438d56be47bd9a3b045375492f7106e SHA-1: b4ee00b64e7d8949736477dbe688de9e6c489bf6 SHA-256: 7470a5fac077178b25c582b4b2b2a1b3ce5326f5bfda5a2546726b544a89d4e5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. It contains numerous external links, including a link farm, and embeds URLs that likely lead to malicious content or phishing pages. The presence of embedded URLs and the nature of the heuristics suggest an attempt to redirect the user to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=mackenzie+river+husky+facts
    • https://cdn.sqhk.co/nowovadizeb/c0gehiM/nadiku.pdf
    • http://instapresent.site/46533294795sml9n.pdf
    • https://cdn.sqhk.co/zonigita/Xjgjjjg/liz_ielts_writing_task_2_with_answers.pdf
    • http://somubuzesixuwun.getenjoyment.net/quant_job_interview_questions_and_answers_free_download.pdf
    • https://cdn-cms.f-static.net/uploads/4415308/normal_602931d190792.pdf
    • http://zutatowatipo.mywebcommunity.org/jedowowujorunulivi.pdf
    • https://cdn.sqhk.co/revujinarewu/ophdljd/chudidar_cutting_in_tamil_free.pdf
    • https://cdn.sqhk.co/jufebarur/jcYjjhh/81904600627.pdf
    • http://forajadafogaxuv.medianewsonline.com/65022819013.pdf
    • https://cdn.sqhk.co/kokademesuz/fhMicJ3/lukozejekurifen.pdf
    • http://idealslimitaly-official.site/zoziligijimetijignfcaa.pdf
    • http://zodatowafe.getenjoyment.net/speakeasy_bars_soho_nyc.pdf
    • http://golosa-spasibo.ru/saeco_coffee_machine_repair_torontozoaev.pdf
    • https://cdn-cms.f-static.net/uploads/4383573/normal_60159e623c959.pdf
    • https://static.s123-cdn-static.com/uploads/4449622/normal_5fcbabe75648f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6a8c3f3f-5248-4e80-80e0-4bf2c04f72bc.filesusr.com/ugd/8b2c09_6c64b0b30fce4b81bd1a0f244c1ecd2e.pdf?index=true
    • https://87164119-88a6-4d6d-a72f-b109cf2d88b9.filesusr.com/ugd/bd0a66_73dd638c174144479b5a2cc99ca7fa74.pdf?index=true
    • https://f3dbd103-cf2f-44fc-b0ad-c9004dc38af2.filesusr.com/ugd/1f2646_bd896401b4e84faab9f8834c509baa29.pdf?index=true
    • https://91313464-3f42-441e-b0e8-b27065d471ad.filesusr.com/ugd/ee9d3f_52c1feebd3a540418049d128ff38968c.pdf?index=true
    • https://14864a69-2465-45da-a912-c6f78a3f99b9.filesusr.com/ugd/409ca8_1a73094787a24aef837bc03f67d7c8c3.pdf?index=true
    • https://6478d21b-237c-41b5-add8-96d7b9819624.filesusr.com/ugd/c7ef1a_3a4d29f779c240eba92b0b0078686a3d.pdf?index=true
    • https://178c1879-e916-404b-9861-a2431bd0f83a.filesusr.com/ugd/1aace6_c40c0798ac6e4665a98bf362c3af226e.pdf?index=true
    • https://ef9d90ca-5811-4a1c-810e-75bcfae60121.filesusr.com/ugd/a33af7_b9fe12bfbc0b47d48f8e93903d54db08.pdf?index=true
    • https://176fe727-baa2-4f6f-8ab0-cddcd97ecb74.filesusr.com/ugd/45df28_a522e8a892704ba289eea504d4ba2056.pdf?index=true
    • http://vekejuf.atwebpages.com/why_is_book_of_enoch_forbidden.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011559.bin
9b9e6ffb338deb7b778b9557a0a9e50b94962ba4ad9eeccc853a407f692862bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11559 5220 bytes
font_01_sfnt_off0001273d.bin
39db6fd3760b810886d94b4794e539ee73e87c6704c3643881b2fda88023749c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1273D 11096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.