Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ef9b7cc31c70ea6…

MALICIOUS

PDF

77.4 KB Created: 2021-03-21 06:34:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38ab92c838a4dd4da54b6d2b5f9a56f0 SHA-1: d8e231000652b40722edf6495ab7e7e7152606d1 SHA-256: 7ef9b7cc31c70ea661ff79ff3b0378fb7f5bf4e234fa89cb5cba85ff1c0d1880
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and an ML classifier, indicating a high probability of malicious intent. The primary attack pattern observed is the creation of a link farm, directing users to numerous external PDF URLs, likely for SEO manipulation or to host further malicious content. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=non+integrated+cost+accounting+system+pdf
    • http://sokolov.fun/purizibona4u1v3.pdf
    • http://m-laskin.ru/zekobogavukcwdz.pdf
    • http://storeplus.pro/75881141628n2jxl.pdf
    • https://static.s123-cdn-static.com/uploads/4482405/normal_5fee28f7a62fa.pdf
    • https://cdn-cms.f-static.net/uploads/4498992/normal_601b1a183dc2d.pdf
    • https://cdn-cms.f-static.net/uploads/4408188/normal_6042c3fa22847.pdf
    • https://static.s123-cdn-static.com/uploads/4368976/normal_5fc8858c1d57c.pdf
    • http://domensita.fun/cheap_hotel_room_booking_siteszowvf.pdf
    • https://cdn-cms.f-static.net/uploads/4451210/normal_601d234e3e350.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b860438a-ced3-4995-86f2-ad9a24e3f15c.filesusr.com/ugd/938eb2_69da6cc703da4441aa2e0fd0c9842dfb.pdf?index=true
    • http://doriponesarom.myartsonline.com/who_is_lucifers_mom_supposed_to_be.pdf
    • http://fetufebutegiv.rf.gd/nesevosagukedamavi.pdf
    • https://f405dec1-7f90-4f4c-a861-5286f67d0127.filesusr.com/ugd/ab922d_16ec94d7378141b18cc73abe25106929.pdf?index=true
    • https://24976a62-ea59-4ca6-8500-d0bd08f9a094.filesusr.com/ugd/65a075_61af3532e8fb485397e93233644de43d.pdf?index=true
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_ef038d245fcc43b48e9b6c89908c4b66.pdf?index=true
    • http://vegawududabuz.rf.gd/funny_answer_to_are_you_drunk.pdf
    • https://5dfb2dbd-6c80-4a99-afab-57dcddd938ef.filesusr.com/ugd/79d40d_5aff4d5eccf345e8ba21e5ad7b5509cf.pdf?index=true
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_d867884950554425b14ec5925b1ad813.pdf?index=true
    • https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_6a4917b472e74b99be70e343cb2e5ad9.pdf?index=true
    • http://gutekuretejapoj.onlinewebshop.net/tumifudosajuwabadaxumoke.pdf
    • http://rolubumemetujin.atwebpages.com/duvulajenefamaziviguputot.pdf
    • https://0ca3454e-05ac-49fc-8d00-644b1af7be3c.filesusr.com/ugd/8bf3fc_945ea6d9521344a39b3acc79b5cf0395.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1af.bin
076d1d6fc765565831440ea3f3d9d38965ac1c77b1a90452b7e833402bd6cb34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1AF 5516 bytes
font_01_sfnt_off0001046a.bin
1a290e5886da9cb0c7d7b6c67497dda21f2f88cff3c7d4916cdc7b19ef36ddb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1046A 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.