Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ab84622ceb73cb9…

MALICIOUS

PDF

118.8 KB Created: 2021-03-25 12:51:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9857a345fb05c9f56304506c4ce4785d SHA-1: 18b6027679ad70e3d4311f017900a35034deaace SHA-256: 7ab84622ceb73cb940998b533b0e73ef600ec20347c46457d1b7b41d2ffe9d3c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are designed to mimic search results, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution via these links. No scripts were extracted, but the PDF structure itself is used to host and distribute these malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=orthographic+projection+drawing+pdf
    • https://loguxofe.weebly.com/uploads/1/3/0/7/130775118/9704384.pdf
    • https://cdn.sqhk.co/wejideduv/tEijdeE/drunken_master_final_fight_scene.pdf
    • http://hotel-engels.ru/bilewiko9ely.pdf
    • http://servisvds.ru/tasco_luminova_telescope_eyepiecevm3gy.pdf
    • https://cdn.sqhk.co/xipepovivik/ieiciiM/knowledge_is_power_ps4_online.pdf
    • http://tinipen.medianewsonline.com/oppositional_defiant_disorder_dsm_5.pdf
    • https://wefupavoxed.weebly.com/uploads/1/3/2/6/132682659/f708ab0b9ddf.pdf
    • http://vladmer.ru/kitchenaid_7_cup_food_processor_contour_silver_reviewsrvftj.pdf
    • https://cdn.sqhk.co/sivadapexiri/geljMXo/41461757239.pdf
    • https://cdn.sqhk.co/rewakevutel/ijfhbjf/32274625453.pdf
    • http://erse.xyz/men_s_style_guide_body_typeea1b1.pdf
    • https://cdn.sqhk.co/vunebapenuj/g4ijRja/81989380080.pdf
    • https://danikobunib.weebly.com/uploads/1/3/4/7/134755608/7658775.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6739ca04-605d-4ff4-b4c9-4e5bd75a7819.filesusr.com/ugd/031dda_4dc23c6687af4eaa99585f3e73e1f99d.pdf?index=true
    • https://d2faa26e-66ca-44cd-8f84-883624a71019.filesusr.com/ugd/dbbfd0_f8c2355fcb9f406686d5d0de243f7cce.pdf?index=true
    • https://60ceb029-6f78-4d42-8ea4-15ca08d8077a.filesusr.com/ugd/857e61_8d2c5afb17fe4eb4b7e5a8927c84a0b6.pdf?index=true
    • https://238a82c5-85a8-4641-a991-2f0f5270ddc4.filesusr.com/ugd/63f22d_31ea55d381214af1af6fc0778e252618.pdf?index=true
    • https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_9d1ba2207085438da7f6b557f0f8e38a.pdf?index=true
    • https://184d393c-d2ff-49e5-bbcb-48626b1dbf88.filesusr.com/ugd/49be48_4d8e0da7539945e2a1547ead7417395c.pdf?index=true
    • https://ec8c99fd-5413-4e38-b6a0-2ccbba71fc6f.filesusr.com/ugd/de02f3_0a1f572786164a299db6b3743d8e50b1.pdf?index=true
    • https://80c8fd16-4cf8-4f9f-b52b-d6c956df8f3b.filesusr.com/ugd/1a94e8_387a8c83b4f74cd79dcca9f609a2ee15.pdf?index=true
    • https://61249681-e2d1-4375-841a-b3723294d79c.filesusr.com/ugd/3d514e_47e54ffd7bff421691a5db1fedc4ed0e.pdf?index=true
    • https://3437305d-a3f4-4f94-9a63-846dd410f5be.filesusr.com/ugd/ffe76b_99596726ff0e40d4a3143002e912ad2d.pdf?index=true
    • http://rulamiji.onlinewebshop.net/56863560966.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017a31.bin
057d3f303972b29ce4303998c754a17bdf5af17527d03fde2d283f31663c78bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A31 5404 bytes
font_01_sfnt_off00018ca5.bin
861addc6a6c9c4f43f5a2f5b0d72ce8139eafceac25dac55f01d99562c906a8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18CA5 12384 bytes
font_02_sfnt_off0001b65a.bin
bec9743c17249637d989e6c350f7b47c9857df4c1b76cc4807383c781c924220		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B65A 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.