Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b70898067fbf9ec…

MALICIOUS

PDF

82.3 KB Created: 2021-09-18 17:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: be04f056645f68b52485059fc45dd3c7 SHA-1: c777dfee4eb7e542d050edf4d35b1a8d3be7f338 SHA-256: 7b70898067fbf9ec1556c2195674886b9d03fcbc36b9b3faa662db104b07b67d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The 'SE_CALLBACK_LURE' heuristic suggests the document is designed to trick users into calling a fraudulent phone number, likely for a tech-support scam or a fake billing issue. Embedded JavaScript was detected, which could be used to further exploit the user or download additional malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tcgardening.com/userfiles/file/2021091812302773499.pdf
    • http://yigang-lin.com/uploads/files/202109161555241470.pdf
    • https://swaarm.de/app/webroot/upload/files/40237159111.pdf
    • http://pulsarvn.com/media/ftp/file/75468206258.pdf
    • https://elearning-chemistry.ro/userfiles/file/kijetibesikeb.pdf
    • http://uklearningnetwork.com/userfiles/file/18359913498.pdf
    • http://davidhammerstein.org/ckfinder/userfiles/files/putodopuxomuset.pdf
    • http://bwemfjhjk.friend-match.com/upload/files/31602161923.pdf
    • http://www.kickcommerce.com/userfiles/file/23068944456.pdf
    • https://ciiinnovationsummit.com/ci/userfiles/files/12994019507.pdf
    • http://www.prodomasa.com/ckfinder/userfiles/files/5918979611.pdf
    • http://kooijobs.in/ckfinder/userfiles/files/givivinano.pdf
    • http://www.lauricedale.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16130dadf6f04c---41274092342.pdf
    • https://ofcourselc.com/admin/uploadsfile/64591664945.pdf
    • http://ketnoikienthuc.com/upload/files/karugijapirubob.pdf
    • http://wingmanplanningdemo.com/userfiles/files/xarovu.pdf
    • https://tainandentist.com/uploads/files/202109010831146172.pdf
    • http://020tzs.com/baige/images/userfiles/file/vekagamugutateneb.pdf
    • http://bridgestone-ice-cruiser-7000.ru/ckfinder/userfiles/files/18425925440.pdf
    • http://www.dagmarsvendova.cz/admin/js/ckfinder/userfiles/files/44297874835.pdf
    • https://rovetco.com/userfiles/file/97582026211.pdf
    • http://dade666.com/userfiles/202109file/2021090411093770554.pdf
    • https://nanyangtextile.com/userfiles/file/jagujavigenaf.pdf
    • https://sukienmiennam.com/userupload/files/dotivowixeme.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=cool+minecraft+survival+house+ideas
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dda1.bin
67630634c24868493bd35b9fd3cf65f9132faa272b07d8ac005d8085d14c7dda		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDA1 17156 bytes
font_01_sfnt_off00010a17.bin
68433154c06016f1cb61086381ff83bd8f29b8d8a33bac4d11c1b15417fb26b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A17 10936 bytes
font_02_sfnt_off00012342.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12342 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.