Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a8fa1d4467bb861…

MALICIOUS

PDF

74.0 KB Created: 2021-03-22 06:49:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e42f3e576ba6aff241ee3f285585897 SHA-1: bf62baf27feb849dc937a3efc2affb69db711374 SHA-256: 8a8fa1d4467bb861ecbba95533df218f2a35c7bc1b618534795a99dc2debee3f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier with high confidence. It contains a large number of external links, indicating a potential link farm or redirection scheme. While no scripts were explicitly extracted, the presence of external URIs and the overall detection suggest it is designed to lead users to malicious content, likely through a phishing or social engineering pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=frost+and+sullivan+research+reports
    • https://cdn.sqhk.co/pulovafafita/wjhicJU/9907540116.pdf
    • https://cdn-cms.f-static.net/uploads/4493881/normal_6045ff5cc67d6.pdf
    • https://cdn-cms.f-static.net/uploads/4365608/normal_5fdb962d3c1d6.pdf
    • https://cdn.sqhk.co/videbamez/hcPhfgd/senokudivojogorilozob.pdf
    • https://cdn.sqhk.co/pulobegefuzi/gdwOiex/simba_run_condo_vail.pdf
    • https://cdn-cms.f-static.net/uploads/4423462/normal_600bfc13e9fdf.pdf
    • https://cdn-cms.f-static.net/uploads/4459467/normal_600f74db475c4.pdf
    • https://cdn.sqhk.co/fikalibumi/AVjjTie/python_version_2._7_16.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4fbc56e1-d9a2-4996-be1d-38f9cd263936.filesusr.com/ugd/b1afee_db84f92a8a5f4bb6861945f181d6fa32.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d16f0e1c-711c-4d15-9db5-fe421ac3be4f/77315261578.pdf
    • https://uploads.strikinglycdn.com/files/f87c3fa9-c18e-4bc0-9a5e-f8109ec11979/how_to_clean_general_electric_p7_automatic_oven_cleaning.pdf
    • https://uploads.strikinglycdn.com/files/df5dc910-caff-48c6-9b33-8225a50c6775/wevojepise.pdf
    • https://uploads.strikinglycdn.com/files/c4c9172b-7a61-463b-951f-bbbbdb9d9e95/2004_chevy_malibu_lt_v6_for_sale.pdf
    • https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_23a0aa895be04de698e933e0c934c806.pdf?index=true
    • https://75e6d08a-b14f-4c2c-bd4e-3e6431d9d11c.filesusr.com/ugd/497a87_20b060336370402caed8f834546fdbe7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5946f05c-9e16-4b44-8ddf-8081184a2f62/why_does_amazon_allow_fake_reviews.pdf
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_f7d76acbfc2b49fd8b30173ff370a765.pdf?index=true
    • https://02687da8-bf2b-436b-a8ca-82c6e04513a5.filesusr.com/ugd/e48f8a_f33caa97eff4424c89170afe0d52efa6.pdf?index=true
    • https://931f52e6-cb68-4a93-8e02-54808d33f8b6.filesusr.com/ugd/6290de_60ffaf8e91ec4fd8975bbca3add658c8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e34c.bin
3d1cc2eba57d4386d9ee0a10a059ebc035487acd94f67fe87ad4c32128f6e2c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE34C 5176 bytes
font_01_sfnt_off0000f4ec.bin
a0b6588a7673cf9ab2480e1c5e5ff82f6661755956d6351253a4450880359bd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4EC 11192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.