Malicious PDF — malware analysis report

Static analysis result for SHA-256 893417b2fe3e2d79…

MALICIOUS

PDF

79.7 KB Created: 2021-04-06 21:03:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d2931af851bd250165b0d44ff572f91b SHA-1: 79b631c82a668d56d4edf4fa4c436b85c9aa9907 SHA-256: 893417b2fe3e2d7910bda0bde930cb725ddc8d63a39067306385c5e8cf5451d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO spam or phishing campaigns. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics strongly indicate malicious intent, with ClamAV identifying it as a 'Pdf.Phishing.Trojan'. The embedded URLs suggest the document is designed to redirect users to malicious websites, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=genetica+zanichelli+pdf
    • https://kaledawuvilef.weebly.com/uploads/1/3/4/7/134727412/3391015.pdf
    • https://static.s123-cdn-static.com/uploads/4423166/normal_5fe603ed57078.pdf
    • http://topstudy.fun/80783755946ful6n.pdf
    • https://static.s123-cdn-static.com/uploads/4427094/normal_600964439fe3f.pdf
    • https://cdn.sqhk.co/kowaziwaso/CgcifyF/rafolam.pdf
    • https://dinidoleto.weebly.com/uploads/1/3/0/9/130969871/3218605.pdf
    • https://cdn-cms.f-static.net/uploads/4384026/normal_6064fe2d12117.pdf
    • https://cdn.sqhk.co/dipopoji/hdG4XNV/87769110292.pdf
    • http://summer-italy.fun/20807735646wy9u6.pdf
    • http://winoraama.website/gobudeta9nq6o.pdf
    • https://cdn.sqhk.co/desogepupema/hjIKEQP/96693870771.pdf
    • https://cdn-cms.f-static.net/uploads/4421943/normal_5fe9eb30d84c6.pdf
    • https://static.s123-cdn-static.com/uploads/4486997/normal_5fc9524b4c067.pdf
    • https://cdn-cms.f-static.net/uploads/4467586/normal_60277db947f32.pdf
    • https://xerazagas.weebly.com/uploads/1/3/0/8/130813913/gepiwakot-kujesaroninex-majawutiwefol.pdf
    • https://cdn.sqhk.co/jisepozidis/Khbhexy/55178673842.pdf
    • https://cdn.sqhk.co/ravusigi/HiiijdY/pebujofukenatoxejev.pdf
    • https://cdn.sqhk.co/fumamimed/vhcieGi/69692504523.pdf
    • https://cdn.sqhk.co/nasubivapu/jfwifzt/wavemotigujadetuwanowenup.pdf
    • https://cdn.sqhk.co/gixekoji/gh2pjbO/38552799667.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1d9.bin
6ce1a04c157e11ec3288014dae5629462fe0b56bffbb0d0532e674a5345c7e5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1D9 5052 bytes
font_01_sfnt_off0000f318.bin
a2c1f43ee8a1bd639a3c74fc24556d03f9b92fbd52b10fdf51e67108132b4d8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF318 11892 bytes
font_02_sfnt_off00011a3e.bin
1e7fdb31b54ef2a4cdb2f84d22e063d8c26a2a28ab8f5db0467027e4d7862b75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A3E 16136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.