Malicious PDF — malware analysis report

Static analysis result for SHA-256 8793906e50def272…

MALICIOUS

PDF

78.8 KB Created: 2021-04-11 11:16:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04
MD5: 0d7c824072928e654b36cb5faa9a0a3d SHA-1: a86ab2ab77705dd4f64d090525bdfe64c4f038c6 SHA-256: 8793906e50def2722945f6031027e10b2cfb18b1a8af7a2cf28933c930816712
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified as a link farm, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure and numerous external links point towards an attempt to redirect users to malicious content, likely exploiting a PDF vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vectorcorp.net/sites/default/files/webform/resume/86038084563.pdf In PDF document text
    • https://ambrose.edu/sites/default/files/webform/48232920683.pdfIn PDF document text
    • https://www.mainephilanthropy.org/sites/default/files/30695142459.pdfIn PDF document text
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/niroxopewesanusogub.pdfIn PDF document text
    • https://ambrose.edu/sites/default/files/webform/71048230710.pdfIn PDF document text
    • http://oaklandchildcare.org/sites/default/files/webform/zomosazufexebale.pdfIn PDF document text
    • https://ambrose.edu/sites/default/files/webform/28695523124.pdfIn PDF document text
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/ziseriwutekezarog.pdfIn PDF document text
    • http://www.guninetwork.org/system/files/webform/heirri_proposals/wozat.pdfIn PDF document text
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/29410319198.pdfIn PDF document text
    • https://ambrose.edu/sites/default/files/webform/fenalop.pdfIn PDF document text
    • http://www.pbttphtk.gov.my/sites/default/files/webform/vojazasazobixupolaxi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=hollywood+video+sangePDF link annotation
    • https://www.vub.be/sites/vub/files/webform/fazarixi.pdfIn PDF document text
    • https://ubmemeaensoprod.s3.amazonaws.com/ifsec_international/call_for_papers/2021/03/kozavexol.pdfIn PDF document text
    • https://www.ice.cam.ac.uk/sites/www.ice.cam.ac.uk/files/webform/xegenaxug.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5F7 5112 bytes
SHA-256: 34de9c34d3e6b734e178e8bacb3bf46780f848f324ee745cd4e006129048613c
font_01_sfnt_off0001078f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1078F 11648 bytes
SHA-256: 43bdac83366c39f6c9cfdb01acfb24d7c4875afc401c0f57bd48c271c6468478