Malicious PDF — malware analysis report

Static analysis result for SHA-256 8490c93c9f5433d3…

MALICIOUS

PDF

78.9 KB Created: 2021-04-19 14:43:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6464a86e6117753e82ee065e76109ea0 SHA-1: b1fc6c3366b3ca33f10b8d98b06deed9b681a677 SHA-256: 8490c93c9f5433d309ae6f1766b4faf9c375ceb10ca102a6407fb384e7996e0f
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are part of a link farm, and is flagged as a phishing lure. The document's content, though heavily obfuscated, suggests it is designed to trick users into installing browser extensions or viewers, a common tactic for credential theft or malware delivery. The presence of multiple external PDF links indicates a potential attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=amazon+kindle+instruction+booklet
    • https://fejilexa.weebly.com/uploads/1/3/1/1/131163980/3380548.pdf
    • https://cdn.sqhk.co/vivepovugeli/bFiegh9/70929711481.pdf
    • https://boxijapemisavar.weebly.com/uploads/1/3/0/8/130874030/vofinar_nebekemiwilaz.pdf
    • http://uber-global.com/viper_car_alarm_pricezu17y.pdf
    • http://katalog-siberian-force.online/zifipotusizakesogasevig86hvr.pdf
    • https://kesozelakix.weebly.com/uploads/1/3/5/3/135300748/20aa098.pdf
    • https://mofazutozu.weebly.com/uploads/1/3/4/8/134871383/af9da95d1cd6b.pdf
    • https://cdn.sqhk.co/vekokoze/iedjfih/colored_contacts_near_me_cheap.pdf
    • https://jozufibajas.weebly.com/uploads/1/3/0/9/130969385/kiwatonavu.pdf
    • https://vobasonuniba.weebly.com/uploads/1/3/4/6/134668907/dikos.pdf
    • https://cdn.sqhk.co/muwazubivotu/iijhgfG/84269398970.pdf
    • http://stickerrus.ru/how_long_water_boiler_lasthoh6r.pdf
    • https://lijafaxad.weebly.com/uploads/1/3/5/9/135989690/181629d6e3d34.pdf
    • https://jolidezebixisu.weebly.com/uploads/1/3/3/9/133997790/12c290619eedd0.pdf
    • https://gerasulas.weebly.com/uploads/1/3/4/8/134861388/labixufiguguwurefi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0a27a435-f342-499c-81a7-9cd42eb9b061/vizerepanutub.pdf
    • https://4f65703b-d4c0-4c9c-9e30-73c8cc83ec5d.filesusr.com/ugd/54fa57_370aeb3cb11a49d082073e388e6016f4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f62ae480-de5d-4457-8d20-e1d9df340c2d/51663994487.pdf
    • https://184d393c-d2ff-49e5-bbcb-48626b1dbf88.filesusr.com/ugd/49be48_d7d81206832a4393b588d85bea33b737.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2c676160-29bf-49d8-9a40-4f1d6ab6f3a7/how_to_improve_ruger_sr22.pdf
    • https://uploads.strikinglycdn.com/files/70ceca3c-3bb4-47af-b5a1-1b531a6f1f11/79864820120.pdf
    • https://692937ca-140d-46b9-9715-018e108c1018.filesusr.com/ugd/2540a5_9655b6f7c5ae4f7ea37f8f2dbea91499.pdf?index=true
    • https://a7193630-a032-4ee2-b136-33837135b76a.filesusr.com/ugd/fac845_bd88366424134afc9d0ad2250a767b65.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f718.bin
67cd49be4558445ed7938c19326d155da37789a811e4e2bedd66c1f647d7ac87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF718 5328 bytes
font_01_sfnt_off00010920.bin
a2d54b1f9d382ca74694da5d73f8469997697aa22980af698bcd2d063d0a5580		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10920 10880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.