Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ea06c6f8372d8dc…

MALICIOUS

PDF

84.2 KB Created: 2021-03-17 06:38:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d2f082a3722c13141828c8df26212763 SHA-1: 516da0cb46cda888dcb4e60d9158681b0d27c52d SHA-256: 7ea06c6f8372d8dcbbc0bd3ecdf283dc0fd230fb1827b855e051dcd2cbdf3624
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a large link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or directing users to malicious content. While no scripts were directly extracted, the PDF structure and embedded URIs suggest it's designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=7th+dragon+2020+ii+psp+iso+english+patch
    • https://cdn.sqhk.co/xoxamomajil/KAifShc/game_dev_tycoon_mod_apk_1._5._5.pdf
    • http://baramijotafexo.mypressonline.com/maximum_principal_stress_theory_factor_of_safety.pdf
    • http://xagakojitogiva.getenjoyment.net/mojos.pdf
    • https://cdn.sqhk.co/pixafosabow/jijhdhh/download_game_burnout_drift_2_mod_apk.pdf
    • https://cdn.sqhk.co/kobewudojuvo/PgQSfgh/69297082599.pdf
    • http://rejamar.sportsontheweb.net/88158638666.pdf
    • https://cdn.sqhk.co/wifavizen/iaiitKT/finukupufa.pdf
    • http://nabavawuzafurur.mygamesonline.org/peace_like_a_river_chords_paul_simon.pdf
    • https://cdn.sqhk.co/nomelafu/Bvk6jbI/44282581236.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://soxarigur.myartsonline.com/english_to_bengali_meaning.pdf
    • https://e22e8d81-f41f-4d51-abb1-39b19d2d32bb.filesusr.com/ugd/96bf9d_4d32c3cfc5014b848ac0ff196647cd27.pdf?index=true
    • https://d4078116-a2d5-466f-97e6-20d899f6ca30.filesusr.com/ugd/576447_ae7cc3a5e51544aebc3c0ff99cafa06a.pdf?index=true
    • https://s3.amazonaws.com/vanatul/jajoka.pdf
    • https://510b81f6-be4e-4e40-9acf-3f60af495837.filesusr.com/ugd/5f226b_eebc8f09a5164affaaf049dd862c4b30.pdf?index=true
    • https://s3.amazonaws.com/wunupalezozerud/colostomy_dietary_guidelines.pdf
    • https://s3.amazonaws.com/purawuma/adding_and_subtracting_integers_worksheet_grade_7.pdf
    • https://s3.amazonaws.com/polexebuj/47992084678.pdf
    • https://5b3fc17b-a4fb-4144-9a53-ff617e35bc6a.filesusr.com/ugd/696117_d05743ad2c0e48f0a5fe72aa7210ed8d.pdf?index=true
    • https://fb7bf4c5-056f-4058-a7d1-073478569b53.filesusr.com/ugd/d90490_ba89d1469ff1491195a34bde7a6ff119.pdf?index=true
    • https://s3.amazonaws.com/libowebujakux/68401087865.pdf
    • https://s3.amazonaws.com/bodajaku/roku_2_remote_control_replacement.pdf
    • https://4b4ea461-5266-411b-8735-d5290551f550.filesusr.com/ugd/7fedcf_2cffb12bf5dc439c9e598fe5390817d8.pdf?index=true
    • https://s3.amazonaws.com/waduzirader/garmin_vivofit_jr_2_replacement_bands_australia_target.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed98.bin
05ffde90cd44c8e05277fd2b4aaf9694eea35aba40a71eb12aafcb163283ca8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED98 4108 bytes
font_01_sfnt_off0000fc05.bin
978b94a804b7013a2015dff285d1b5ce7674e975a9addb34876fa3e271f469a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC05 5380 bytes
font_02_sfnt_off00010e40.bin
f2bb48defc1e6757cf1b2aa9cbd2e04cb5252962304a8d80dfa4ce84e9425aae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E40 11220 bytes
font_03_sfnt_off0001342f.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1342F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.