Malicious PDF — malware analysis report

Static analysis result for SHA-256 7952a6fdd99c432a…

MALICIOUS

PDF

101.4 KB Created: 2021-05-29 16:07:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc9b03220f7f9aeb736017e5c683909e SHA-1: 8e05659774acb70d51a5db8ff2e19a15367a6255 SHA-256: 7952a6fdd99c432a488afa6c4afadd8ad0024d99c1f571e7822a776f73a0110f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, suggesting a phishing or SEO manipulation tactic. While no scripts were explicitly extracted, the presence of embedded URLs and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicate malicious intent. The document body's content is heavily obfuscated and appears to be a lure for 'backing tracks free download'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn-cms.f-static.net/uploads/4486775/normal_605cb65ddae31.pdf
    • https://cdn-cms.f-static.net/uploads/4484122/normal_605a75cb48a77.pdf
    • https://cdn-cms.f-static.net/uploads/4379374/normal_601f708817d01.pdf
    • https://cdn-cms.f-static.net/uploads/4367646/normal_60494e37a3a72.pdf
    • https://static.s123-cdn-static.com/uploads/4384046/normal_5ffb7193d231d.pdf
    • https://dawerofe.weebly.com/uploads/1/3/4/3/134361643/e2ca8e1.pdf
    • https://cdn-cms.f-static.net/uploads/4456996/normal_601cb7e8ad119.pdf
    • https://static.s123-cdn-static-d.com/uploads/4462694/normal_60affab970d38.pdf
    • https://static.s123-cdn-static.com/uploads/4379237/normal_5fefa1e283fc4.pdf
    • https://static.s123-cdn-static.com/uploads/4374986/normal_60085f0687570.pdf
    • https://waruzakelejabu.weebly.com/uploads/1/3/4/6/134600446/40e0b339932.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/_7yJ53orglQ/wb?keyword=jamey%20aebersold%20backing%20tracks%20free%20download
    • https://uploads.strikinglycdn.com/files/020ce3e6-e5e7-4bf5-a99a-e1174ca43f7e/rirafibevekakafina.pdf
    • https://uploads.strikinglycdn.com/files/07cd997c-f8d8-4619-983d-12a8642cd04e/zuderoluwizusutodu.pdf
    • https://uploads.strikinglycdn.com/files/93b2f795-eb8c-4888-aaa7-d6d2452abbb3/kusobotoxif.pdf
    • https://uploads.strikinglycdn.com/files/7d024823-98f9-4cd1-a395-6bf98509df89/tanobegiwo.pdf
    • https://uploads.strikinglycdn.com/files/bb3b2f24-560a-4f4a-8c99-f6c7252a42bb/medieval_2_total_war_crusades_unit_id_list.pdf
    • https://uploads.strikinglycdn.com/files/8e5138bd-1c1a-4217-86ac-05a88049ec04/maze_runner_3_netflix_release_date.pdf
    • https://uploads.strikinglycdn.com/files/3b42906f-0e53-474a-90bb-9b6903082c2b/29696073914.pdf
    • https://uploads.strikinglycdn.com/files/64618999-a2b5-4c82-a0d0-a37a23fb41fb/light_novel_anime_movie_list.pdf
    • https://uploads.strikinglycdn.com/files/a56a6db6-d4b3-4838-9e3f-d23784c70976/download_geometry_dash_lite_mod_apk_2.2.pdf
    • https://uploads.strikinglycdn.com/files/1645a0b5-a2e7-48fc-be41-a5ec6e58200d/how_long_does_a_mobility_scooter_battery_last.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012c24.bin
934595ba73b843413fe9bcce2001031fe44740913968b1cf10a178be63d39a11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C24 5728 bytes
font_01_sfnt_off00013fac.bin
252084941af09fa9e05ed313f5d2186b7df954c58466210a0ac3dba4a833cb9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FAC 16408 bytes
font_02_sfnt_off000172b1.bin
184efd0e138a9418359f6897f9ac56b5cd93cafbd57abf30711ac2aee7e18832		 pdf-font-stream PDF embedded font (sfnt) at offset 0x172B1 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.