Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e013f9e6c034f6…

MALICIOUS

PDF

97.8 KB Created: 2021-03-15 20:32:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6386b9759c57d6cb3499a16c110515ef SHA-1: eb673b2844fb288691428744e54b430ea10a35f4 SHA-256: 77e013f9e6c034f6981689073979d8f26971c9747b179978b460a589ccfa0e80
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document containing a large number of external links, many of which are disguised as legitimate documents or games. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. The embedded URLs point to suspicious domains, suggesting the document is part of a link farm designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=sql+server+2008+r2+developer+edition
    • http://samelike.site/word_search_game_garden_essentials8qn5c.pdf
    • http://tediwaxivuj.sportsontheweb.net/ketuxatujonovigewi.pdf
    • https://mukoxawav.weebly.com/uploads/1/3/4/6/134627731/tudesugob.pdf
    • https://tagopebarezixog.weebly.com/uploads/1/3/1/6/131607889/kikope_dewuxivafasiro_katazex.pdf
    • https://cdn-cms.f-static.net/uploads/4476272/normal_5fd31548af172.pdf
    • http://gapilojazixo.getenjoyment.net/samsung_rf26hfendsr_freezer_not_working.pdf
    • http://bafiselavanebep.mywebcommunity.org/data_structures_and_abstractions_with_java_4th_edition_solutions.pdf
    • https://wovupidej.weebly.com/uploads/1/3/4/6/134687137/potizulobulujupo.pdf
    • https://static.s123-cdn-static.com/uploads/4483337/normal_6008d7f36d24b.pdf
    • https://xinuxarovota.weebly.com/uploads/1/3/0/7/130776268/0ef6a4ff05c7162.pdf
    • https://bavexopifepixab.weebly.com/uploads/1/3/4/6/134683122/8222674.pdf
    • https://rogujodur.weebly.com/uploads/1/3/4/8/134899240/27941.pdf
    • https://static.s123-cdn-static.com/uploads/4455176/normal_60078c026bdab.pdf
    • https://badukixekuxa.weebly.com/uploads/1/3/5/3/135388400/magifepemituf.pdf
    • https://cdn-cms.f-static.net/uploads/4418570/normal_603f361b3ab9a.pdf
    • https://zekisotirateme.weebly.com/uploads/1/3/4/3/134368555/segosutakerewe.pdf
    • https://static.s123-cdn-static.com/uploads/4386094/normal_6000c27587992.pdf
    • https://kekisadubivef.weebly.com/uploads/1/3/3/9/133986731/nawufajovib_tafosazomajo_zakutixadu_jemer.pdf
    • http://nakrutkavk.site/ear_doctor_midtown_nycm9c5b.pdf
    • https://foreguguwikib.weebly.com/uploads/1/3/0/7/130775698/gixatowobus.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lobopekogolo.onlinewebshop.net/world_of_darkness_slasher.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • https://blog.csdn.net/lucky51222/article/details/72953853
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d091.bin
d2feee0e38f34453a2db6fb4a11ec065eea03335a6c85332425debe07dc459c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD091 36564 bytes
font_01_sfnt_off000140b8.bin
0d9776f2dd3279a84a26b1a1e3fde4bd7e89f898b860b385387b45ca98f265ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140B8 5500 bytes
font_02_sfnt_off0001538d.bin
0ce4576b3fcfc3495117464702d2ec1c7311a7d53fc3d8fce20f80408be0de31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1538D 10416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.