Malicious PDF — malware analysis report

Static analysis result for SHA-256 8696a5795c35b9ad…

MALICIOUS

PDF

72.4 KB Created: 2021-03-16 01:36:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1171113998ed6003340f9288e1798144 SHA-1: 50fe13cb48c4fba573d63efb51d1057b03cbdd63 SHA-256: 8696a5795c35b9ad8ef31851ba83300e2eb4ced67e21ff486c9518ef62793249
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. This suggests the document's primary purpose is to redirect users to other sites, potentially for malicious purposes like phishing or malware distribution. The presence of a 'Download button' heuristic further supports a deceptive user interaction. While no scripts were directly extracted, the PDF structure and link farm indicate a likely attempt to deliver a second-stage payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=bescherelle+conjugaison+pdf+download
    • http://yarrebitteh.online/berlin_historical_inevitability20uy4.pdf
    • http://my-favshopg.online/practicas_de_cisco_packet_tracer_reszd5ro.pdf
    • http://virnet77.ru/cengel_heat_transferui3jj.pdf
    • http://donbetosstreettacos.com/pagujozepepavntobb.pdf
    • http://christmas-gift.ru/hamilton_beach_microwave_oven_instruction_manualubl0z.pdf
    • http://videohost.space/23376312828fe8gh.pdf
    • http://ifeelgood.club/starz_encore_black_east_schedule6w61p.pdf
    • http://kpupnov.pro/nadezabakexufi7ozjv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mawesenasijoser/66943036724.pdf
    • https://s3.amazonaws.com/nafamaragisek/62331554145.pdf
    • https://s3.amazonaws.com/nerugiraxura/alter_ego_2_french_book.pdf
    • https://uploads.strikinglycdn.com/files/6ad3c397-37dd-41e5-930f-97c0cf07b3af/how_to_reset_your_voicemail_on_iphone_11.pdf
    • https://uploads.strikinglycdn.com/files/a8deffca-0212-4eec-aeb7-2968c9200f90/wajejuzipefaxubafodesubo.pdf
    • https://efa91360-7c21-416c-9d60-3189e0beb381.filesusr.com/ugd/42ffc7_e6a76bceb3174a0ead4081dafe136d57.pdf?index=true
    • https://s3.amazonaws.com/bogeguva/ziwinoxazudasosasanoz.pdf
    • https://s3.amazonaws.com/juwofuxufijup/41883347972.pdf
    • https://7be8961d-effb-4c78-a255-78c3c9f0be09.filesusr.com/ugd/3dd68e_03561801a8fc46e7b0571cd766ae206e.pdf?index=true
    • https://s3.amazonaws.com/sajezife/1671991559.pdf
    • https://s3.amazonaws.com/resisuna/wozusapijefan.pdf
    • https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_d6adf8e5523f4777be48128722280362.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dae4.bin
f845f7f329c38911e752346cb4d471a2d9abfb3cd8af3171775cfe856f6861a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAE4 5636 bytes
font_01_sfnt_off0000ee25.bin
fc4e7383cc6c03615cec27e568e09e0476df8a0e4a977ae0f5727f4d07235e03		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE25 11732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.