Malicious PDF — malware analysis report

Static analysis result for SHA-256 87776b71dd8b93ee…

MALICIOUS

PDF

84.6 KB Created: 2021-03-20 18:27:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9177b3bd1819fc14baca88019d6e29c7 SHA-1: e21593e3ad103c5ac504ae188ce21b213306e02d SHA-256: 87776b71dd8b93ee34272e224b22d3e83159c32ff75f1e624c7982a50a36d6f4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically a phishing or SEO manipulation tactic. While no scripts were directly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to potentially malicious or spam-related content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=general+english+questions+and+answers+pdf+for+ssc
    • http://motowifenizemuz.22web.org/adventure_capitalist_moon_guide.pdf
    • https://cdn.sqhk.co/fidapulano/FptZijI/detention_officer_hiring_near_me.pdf
    • https://cdn.sqhk.co/sogunixe/pnjfbYb/chikki_bar_machine.pdf
    • https://cdn.sqhk.co/mafozerekat/HibYfyI/pesugirafulidulo.pdf
    • https://static.s123-cdn-static.com/uploads/4408190/normal_5ff603e299b36.pdf
    • https://cdn.sqhk.co/zujubokave/g8Ngfij/limisomiw.pdf
    • http://xawaliduza.iblogger.org/2817834687.pdf
    • https://cdn.sqhk.co/fadanade/HidDggj/walking_dead_menace_crossword_clue.pdf
    • https://cdn-cms.f-static.net/uploads/4461249/normal_601af013d5636.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dudujopixejikug/books_for_gate_computer_science.pdf
    • https://uploads.strikinglycdn.com/files/d3a84fe8-8fc4-44c4-a1e8-7272ec142c1e/grohe_shower_faucet_cartridge_replacement.pdf
    • https://s3.amazonaws.com/xufaxoferugod/31055373848.pdf
    • http://vumijasi.epizy.com/boss_me_25_driver_windows_7.pdf
    • https://s3.amazonaws.com/kovezux/zezusonozixedulumoxebiv.pdf
    • http://kegipufi.rf.gd/87071561969.pdf
    • https://4b98dde3-f65d-4e11-807b-d4501949e87b.filesusr.com/ugd/4a7ebd_730fe97ede9540ce924b45366b931f07.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f480ee46-cf98-428a-956b-50fde4022fce/4707257354.pdf
    • https://s3.amazonaws.com/befafuni/symbolic_logic_book.pdf
    • https://uploads.strikinglycdn.com/files/f3d91c3a-cc39-476d-9e7d-7315d30d8e88/what_does_mean_in_javascript_dollar_sign.pdf
    • https://s3.amazonaws.com/lowebemuwojiso/problemas_politicos_en_mexico_2019.pdf
    • https://uploads.strikinglycdn.com/files/49f96048-e21d-4af1-908b-c37bf523048e/58280971337.pdf
    • https://uploads.strikinglycdn.com/files/8b5b0515-1e3a-44bd-b30d-5039e11413ef/self_worth_worksheets_printable.pdf
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_83a3d940874c48ab8292b99e73b69bfe.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109f7.bin
e177eec441b8ff28590c75d2b3b3a63ce9b293774bbbb996873f299a4345e57f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109F7 5668 bytes
font_01_sfnt_off00011d43.bin
ba15ef702e68e30a0730f774ed148f66f656500eb86e6e842e5e956185c53dee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D43 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.