Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f4039cacc764058…

MALICIOUS

PDF

109.2 KB Created: 2021-03-25 09:16:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a93cd69a41b3c3490cbe5d400267ae77 SHA-1: 51c05ccd216cbcc2eef9899938fc2f4e9093359e SHA-256: 7f4039cacc76405892cde2d28e965d385b00f6d794ff3f161a4d68836db34694
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, forming a link farm, and is detected as malicious by ClamAV and an ML classifier. The primary URL, 'https://maypoin.ru/award?keyword=macroeconomics+7th+edition+by+olivier+blanchard+pdf', suggests a phishing or SEO scam designed to trick users into visiting potentially malicious sites. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=macroeconomics+7th+edition+by+olivier+blanchard+pdf
    • https://gorogonib.weebly.com/uploads/1/3/0/7/130775466/a990b978b38.pdf
    • https://cdn-cms.f-static.net/uploads/4376354/normal_6019a4233ad37.pdf
    • https://cdn.sqhk.co/kekelivig/hhjjdSu/golf_clash_clubs.pdf
    • http://silkhfig.bid/jvvnl_junior_accountant_syllabus_2020_download4a1gn.pdf
    • https://cdn-cms.f-static.net/uploads/4505687/normal_6013607e5c737.pdf
    • https://sarotokatot.weebly.com/uploads/1/3/2/6/132682281/lezet_rujoludidafin_fobawevatemi_xowevu.pdf
    • https://bebojeraje.weebly.com/uploads/1/3/5/3/135302211/lomalijijixo_vuxezufad.pdf
    • http://cucoupon.info/what_did_sundiata_keita_accomplish6obdj.pdf
    • https://cdn-cms.f-static.net/uploads/4391305/normal_601da101edea6.pdf
    • https://cdn-cms.f-static.net/uploads/4460060/normal_602691d53384a.pdf
    • https://cdn.sqhk.co/kagaxavog/kNqEgsG/sql_server_2012_tutorial_for_beginners.pdf
    • https://cdn.sqhk.co/bipuzojafa/hjgghhF/upswing_parent_connect_login.pdf
    • https://cdn.sqhk.co/pefevepufi/9Ujgjji/demon_hunter_set_dungeon_natalya.pdf
    • https://kasewipiliri.weebly.com/uploads/1/3/4/9/134901701/1b96d484ff8690.pdf
    • https://cdn-cms.f-static.net/uploads/4413244/normal_605a6c80104ad.pdf
    • https://cdn.sqhk.co/wofamofupu/3jcicqG/56645572390.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rudelazifizuvo/30696847076.pdf
    • https://411563d6-f1a1-4768-9eaa-86e4eb1f1ae3.filesusr.com/ugd/6d8349_a35f577a72b9473eb6be9e0ae2f5f12d.pdf?index=true
    • https://s3.amazonaws.com/minabiwa/casio_g_shock_5081_ga-_100_manual.pdf
    • https://s3.amazonaws.com/forupokisip/lugufu.pdf
    • https://c78ffd2e-fc3d-4272-86ca-968d835fb7ad.filesusr.com/ugd/0f9ef0_92b2d0b86c9f4c4285b7c815d5a6fab9.pdf?index=true
    • https://cd29ef07-728f-4a0b-b57b-23e770395c36.filesusr.com/ugd/f14cf6_363d268da6ca4a05a507347f64e5434c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db4a.bin
4cef0f3b1846c1787f87dc77b32480f2e0723a31b8b029d9ca8fd1babb993d86		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB4A 48808 bytes
font_01_sfnt_off00016f04.bin
9bf2608bbb44015a58a3c0d98c8217f067325c5ba358d2210c5ad960f98fa6e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F04 5784 bytes
font_02_sfnt_off000182a4.bin
81108311bdeb06fa00ed1bc7c75476f752820d94adfec9af34baa626034b8ea4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x182A4 10536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.