Malicious PDF — malware analysis report

Static analysis result for SHA-256 771b7f430530cd87…

MALICIOUS

PDF

81.0 KB Created: 2021-03-10 14:29:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc6dd4e294a2f2942d5d822937ddbaea SHA-1: d43a6d2605d06c0be967377eb893d0fef606b1f3 SHA-256: 771b7f430530cd8778245e52deaeb1076ea9098febcd6b43bc1e289a80125bf2
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple heuristics indicating malicious intent, including PDF_SEO_LINK_FARM, PDF_SUSPICIOUS_LINK_LURE, and SE_BROWSER_INSTALL_LURE, suggesting a social engineering tactic to trick users into downloading or viewing malicious content. The ML classifier and ClamAV detection strongly support its malicious nature. The embedded URLs point to suspicious domains, likely hosting further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 8

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=journal+articles+pdf+download
    • https://cdn.sqhk.co/zomulusiku/geihhjU/debixix.pdf
    • https://gitikaru.weebly.com/uploads/1/3/4/9/134901111/4c6b9658950a.pdf
    • https://cdn.sqhk.co/soxobiwefili/eijWWic/1033015369.pdf
    • https://cdn.sqhk.co/pobisobat/q6iaiip/kokegadabiwepixo.pdf
    • http://8gusevshop.space/popular_car_driving5c9lm.pdf
    • https://bovuxubirike.weebly.com/uploads/1/3/0/7/130738735/7406608.pdf
    • https://cdn.sqhk.co/temirikuji/Whdjidt/catfish_meaning_in_slang.pdf
    • https://cdn-cms.f-static.net/uploads/4465557/normal_602c1036635ae.pdf
    • https://static.s123-cdn-static.com/uploads/4473619/normal_5fcbc249f1584.pdf
    • http://gelchlen.fun/quran_tafseer_commentary_in_english_audiomwp2z.pdf
    • http://vetapako.22web.org/40005744578.pdf
    • https://cdn-cms.f-static.net/uploads/4443354/normal_60137602c1d09.pdf
    • http://vehicleusains.com/78635445443oiez6.pdf
    • https://cdn-cms.f-static.net/uploads/4487906/normal_602262141bb15.pdf
    • http://worldhold.online/17224673119mafiq.pdf
    • https://cdn.sqhk.co/parikozug/GMhjjg5/hades_star_guide.pdf
    • https://cdn.sqhk.co/sarodeduz/hj5iehb/toddler_has_yellow_soles_of_feet.pdf
    • https://cdn.sqhk.co/ludozenidi/fifjeie/line_runner_lake.pdf
    • https://cdn.sqhk.co/tifapoxur/hhDPLgj/idle_tap_splash_park_levels.pdf
    • https://biwewonopegad.weebly.com/uploads/1/3/1/3/131380063/tejomijareg.pdf
    • https://cdn-cms.f-static.net/uploads/4464053/normal_6012620a64286.pdf
    • http://loginwithfb.site/870331474386jox6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://jowuwivipi.rf.gd/chikku_bukku_railu_song_masstamilan.pdf
    • http://pogapebod.rf.gd/vajevigajiwonawoteb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0a5.bin
ba8a5a93340fa7781617da8250f26166e1e5045eea2a8e57ffb0981706c9d08e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0A5 5112 bytes
font_01_sfnt_off00010221.bin
1615f62b027d8fbf1bd4a78389d4cb93b6a77dc1cb1ec9d6239af65faffbf91f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10221 10612 bytes
font_02_sfnt_off0001268b.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1268B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.