Malicious PDF — malware analysis report

Static analysis result for SHA-256 7abf816c2ba360fa…

MALICIOUS

PDF

107.8 KB Created: 2021-04-05 06:16:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2885264933e8764d5477c040033fa53c SHA-1: d7d820b44d59228be63acfd514beff0df0170711 SHA-256: 7abf816c2ba360fa571aaf42fb66cc3e30544ff838dd35fab0c2ad30042e700b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing campaigns. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and extensive external links suggest it's designed to redirect users to malicious sites, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=interpreter+of+maladies+book+cover
    • https://cdn.sqhk.co/nabotogemobe/YjgPgd4/smart_assistive_touch_apk.pdf
    • https://cdn.sqhk.co/fakupavod/g4hcgdC/insecure_direct_object_reference_prevention_cheat_sheet.pdf
    • https://xitirume.weebly.com/uploads/1/3/4/3/134392652/1266992.pdf
    • https://cdn.sqhk.co/sativomofij/ejcggDf/48875311153.pdf
    • https://cdn.sqhk.co/guxifunuris/bYjiOCx/santorini_greek_grill_mckinney_texas.pdf
    • https://cdn.sqhk.co/zadorari/jUpNjca/frontline_commando_2_pc_game_free.pdf
    • https://cdn.sqhk.co/lanumakefu/cjbhcjg/13751491594.pdf
    • https://duvozeja.weebly.com/uploads/1/3/0/7/130739152/wikowuri.pdf
    • http://vuxilenusip.mypressonline.com/tekiguforoletewik.pdf
    • http://mufinofol.scienceontheweb.net/calendar_printable.pdf
    • https://tebukebodo.weebly.com/uploads/1/3/1/3/131381901/754f3ad008331c.pdf
    • https://wunabigoji.weebly.com/uploads/1/3/4/8/134891590/rufuvekejesepa.pdf
    • https://topodomero.weebly.com/uploads/1/3/2/6/132696018/9208765.pdf
    • https://vagofavom.weebly.com/uploads/1/3/4/4/134486407/7436222.pdf
    • http://bukudix.getenjoyment.net/alter_ego_level_1_exercise_book.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2b57de6f-423a-48c1-ba1e-236631198cb1/how_to_form_a_logical_argument.pdf
    • https://uploads.strikinglycdn.com/files/cd01a99b-0d75-4a42-a9fc-6ece0f1b0c14/lekasif.pdf
    • https://uploads.strikinglycdn.com/files/98d55ea2-f07d-4f77-a32b-3163c4034ba7/dewewalesopeludipogoluxe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000127a5.bin
ba4cd02725257530607640f6aa539e8dd9f4097af51a8134af024d5b0982418d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127A5 8672 bytes
font_01_sfnt_off000144a8.bin
b8e325165d10d336b0f43c29a17e23d740880b22324965366fabb41c9214ad93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144A8 5504 bytes
font_02_sfnt_off0001574a.bin
fbeed3fcad56c84e99aac451a1646439cfe6757034ff8af506085ae9efd6d22e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1574A 16996 bytes
font_03_sfnt_off000188bc.bin
d6a5b2e99c2970bd481fa16405c9052d4557e88bc3fa0baddd2c545d19a6c0b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x188BC 17060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.