Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ab73cf93f2ce957…

MALICIOUS

PDF

76.2 KB Created: 2020-12-17 05:01:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4eda6a2372f0f05336312a38687a1844 SHA-1: 19607d97ea63fa88a14431dcb1bf105c1b616478 SHA-256: 7ab73cf93f2ce9574cc025a0f6faca17f81717dae0b269cb4160562ff9fa83fd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, with one identified as a potential phishing or malware distribution URL. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, and the 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' firings strongly suggest malicious intent. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, suggesting it might be a generated document used as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=ge+simon+xt+sensors
    • https://lalusaguru.weebly.com/uploads/1/3/4/6/134611329/4cedbb.pdf
    • https://goxanakevixi.weebly.com/uploads/1/3/4/8/134857001/satazi-sowetezodurebum-pixuwud-nexisobatef.pdf
    • https://fopezifu.weebly.com/uploads/1/3/4/7/134717551/libakuxul-dokine-zafenej-xodejij.pdf
    • https://pepomujotopulog.weebly.com/uploads/1/3/4/8/134873529/2638508.pdf
    • https://tatimaguk.weebly.com/uploads/1/3/4/7/134718839/2618513.pdf
    • https://subamepowesita.weebly.com/uploads/1/3/4/8/134875458/rebagofakesi_vijajoso_wamivo_luzafudi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://static1.squarespace.com/static/5fc194132cf09257bd70d589/t/5fc5b8dd5147b14804f8b051/1606793437565/sublime_with_rome_tour_2019_opening_act.pdf
    • https://static1.squarespace.com/static/5fc3805b3dfdd95b60e588d7/t/5fd20bad87bef85997f4a483/1607601069435/at_t_u_verse_channel_lineup_300.pdf
    • https://static1.squarespace.com/static/5fc79be1d743eb43444a2f45/t/5fd17e04ad61ab583181b1b0/1607564805522/dslr_photography_training_apps_capture_paladins.pdf
    • https://static1.squarespace.com/static/5fce5f182c00fb194151f4ae/t/5fd6c612491a58544a20c9eb/1607910931326/wagevikoxunezij.pdf
    • https://static1.squarespace.com/static/5fc0c42727a199023ab4a3d3/t/5fc175d6cb3e0f577186f6ff/1606514135272/fadowifobi.pdf
    • https://static1.squarespace.com/static/5fcdea3b5d43e676cbd1e847/t/5fd1ca66ef89ac6683771170/1607584359291/51781950450.pdf
    • https://uploads.strikinglycdn.com/files/08d812c0-6774-440e-b3f5-402920a87479/clark_y_airfoil_angle_of_incidence.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcf080cc750a3b5a04eed4/1606217857485/political_geography_definition_oxford_dictionary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d182.bin
3a3f6191266046bb85fde51ffcec657f257a7a9eb00217838ce63a55313651d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD182 3216 bytes
font_01_sfnt_off0000dd14.bin
0b711d40b3e70a385ced5c5425b50c525c79bdaeb5cde49ecee1099b81f09b32		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD14 4688 bytes
font_02_sfnt_off0000ecec.bin
ae2d08269448ff61c5f05e95a03103506d17b7e86a51447c9f8252a91c0703da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECEC 6404 bytes
font_03_sfnt_off0000fdad.bin
74024767b42f2b244441c6e53c4100b122e89d3ddcca0f35e345eaf2d4942f45		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDAD 10784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.