Malicious PDF — malware analysis report

Static analysis result for SHA-256 7471224fe9e178b5…

MALICIOUS

PDF

86.8 KB Created: 2021-03-16 17:16:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39b336565cdbcc12e031433390bc0d46 SHA-1: 9e171209f591ce37e4034a24c0e8ea1d7c907a21 SHA-256: 7471224fe9e178b5af559a4b66b96eba6ec068f4fea70ea9d3f0097923c99726
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to suspicious domains, suggesting a link farm or phishing attempt. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics confirm its malicious nature, with ClamAV identifying it as 'Pdf.Phishing.Trojan'. The document body, though heavily obfuscated, contains keywords related to search terms, reinforcing the lure. No scripts were extracted, but the PDF structure itself facilitates the redirection to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=avenged+sevenfold+albums++zip
    • http://zexaribamemavi.sportsontheweb.net/literary_analysis_essay_rubric_12th_grade.pdf
    • https://sixagezox.weebly.com/uploads/1/3/1/6/131606695/moroviwipozo.pdf
    • http://golixudib.mypressonline.com/zinedutativutonurobosasuf.pdf
    • https://zalefukonu.weebly.com/uploads/1/3/4/3/134346034/802940.pdf
    • http://rozogididibusar.sportsontheweb.net/casio_ctk_2400_price_in_sri_lanka.pdf
    • https://laxopewivizi.weebly.com/uploads/1/3/5/3/135394850/lisedeb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/7c0a006f-c323-408a-9218-5b6fa2611e0e/can_you_cancel_planet_fitness_membership_before_annual_fee.pdf
    • https://s3.amazonaws.com/tixeligufokup/88065742308.pdf
    • http://nowimirozox.atwebpages.com/imprimir_para_nios_tablas_de_multiplicar_del_1_al_12.pdf
    • https://uploads.strikinglycdn.com/files/ea9494cc-752a-4f20-9b03-00e1a8fa64dd/logiwasavaperovonoz.pdf
    • https://5634f520-c25d-421d-ab67-3d94505d13cb.filesusr.com/ugd/1b85ab_d5cc0de47136473ea2cbb4e6c33ae3e5.pdf?index=true
    • https://s3.amazonaws.com/zetituri/waragabixemubuvepulu.pdf
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_2c0f3838509f44f6b61385d1259758a7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e4bf4eee-277e-448b-836e-0e8472dd7e42/terupesisidisemu.pdf
    • https://s3.amazonaws.com/dojivewobasuval/stihl_fs90r_carburetor_diagram.pdf
    • https://s3.amazonaws.com/ninazarila/gimedixupavazatigeniv.pdf
    • https://5c3e38fa-bf2d-4cda-bfdc-19e9a39f2227.filesusr.com/ugd/b3ada4_b865024feca94dafb18be432e4d0d4ba.pdf?index=true
    • https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_30a21dc26a26481aa521db009606ca6b.pdf?index=true
    • https://s3.amazonaws.com/minegikukovel/car_sale_agreement_format.pdf
    • https://uploads.strikinglycdn.com/files/3986449a-a204-4e6b-bbfd-969b0123283b/wevafoza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f05e.bin
2727d38d36f3869d61a7b011e7bd33234f6b77c7469c8c1f402b85e0687ffa45		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF05E 5304 bytes
font_01_sfnt_off0001025e.bin
9200c62a35b0005585f9d70b07d3293d5105c6bbdd1dae13708ae2dab34668a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1025E 12304 bytes
font_02_sfnt_off000128e4.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128E4 16204 bytes
font_03_sfnt_off00013e12.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E12 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.