Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f9ca7abee5f96eb…

MALICIOUS

PDF

78.4 KB Created: 2021-06-10 08:58:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 534c573377c57f6dbc2d011ea8232fa5 SHA-1: ee9368418888cbd97964da86a1792ab8a163e0b2 SHA-256: 7f9ca7abee5f96ebae0d76611570a66c062080d9fcf52dcdaa569b46e305f756
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as Pdf.Phishing.Trojan. The file contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to distribute potentially unwanted or malicious software. The embedded URLs and the overall structure indicate a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/pbw?utm_term=dreamweaver+portable+cs3+download
    • https://cdn-cms.f-static.net/uploads/4401994/normal_6047b9fb41152.pdf
    • https://bumujonawomete.weebly.com/uploads/1/3/4/4/134435367/15fbb1.pdf
    • https://xidekazepo.weebly.com/uploads/1/3/0/9/130969591/gopiwogejiro-bejogenaxitilif-sexiwuzipewa-dewutivap.pdf
    • https://cdn-cms.f-static.net/uploads/4450248/normal_6025f04247b33.pdf
    • https://kuwisuzom.weebly.com/uploads/1/3/4/0/134017610/5669975.pdf
    • https://telutifezidawu.weebly.com/uploads/1/3/4/6/134624569/vizelobifezajut-bufuguz-ponipaxezet-mixenevad.pdf
    • https://fixalurona.weebly.com/uploads/1/3/4/3/134314544/katitenexizuxix_moniwabud_sasavebovoj_pebupu.pdf
    • https://kagilomit.weebly.com/uploads/1/3/4/6/134669997/582274bcb970.pdf
    • https://xalidanazate.weebly.com/uploads/1/3/6/0/136082238/0bde9b.pdf
    • https://pukewuvidepuf.weebly.com/uploads/1/3/4/3/134321324/438505.pdf
    • https://cdn-cms.f-static.net/uploads/4473916/normal_6044df40715c5.pdf
    • https://lutapusudifo.weebly.com/uploads/1/3/1/0/131070527/7055884.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://rujuboxu.pbworks.com/f/bizuta.pdf
    • http://biduzoku.pbworks.com/f/39067508786.pdf
    • http://papoxuva.pbworks.com/w/file/fetch/144897816/dadurenusetoxagefosisi.pdf
    • https://uploads.strikinglycdn.com/files/03517c75-bc1a-427f-a275-3510e89ffb66/why_is_my_broan_range_hood_blinking.pdf
    • https://uploads.strikinglycdn.com/files/e0c59764-7b04-4a55-8c39-74771bcb228a/90797963747.pdf
    • http://fatakalewene.pbworks.com/w/file/fetch/144499884/favimarebifefokinenofeb.pdf
    • https://uploads.strikinglycdn.com/files/59079e26-1a0b-417b-a53a-56376166b5b3/75544972231.pdf
    • http://sakulibur.pbworks.com/f/wivufebuturivevakesap.pdf
    • http://buzivevej.pbworks.com/f/among_us_mod_menu_always_imposter_pc.pdf
    • http://fepewuwakow.pbworks.com/f/american_heart_association_acls_pretest_answers_2015.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f00e.bin
f3cc4f850ecdbc77e10b96d86a0135d41f11ecfe23df6bde2537f5d353c6af6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF00E 5676 bytes
font_01_sfnt_off00010351.bin
b5621eae3f04ad7d7e7841214c3a91d14ca1946726b4da7b6202b0aa6bce4f59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10351 12100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.