Malicious PDF — malware analysis report

Static analysis result for SHA-256 91e737ef8dd9213e…

MALICIOUS

PDF

99.6 KB Created: 2020-11-09 20:50:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f697ed99f66532bb175c2ce043b019a SHA-1: d004eacb9ff1ebf51530c09ec0139422744e6293 SHA-256: 91e737ef8dd9213e0480bc20923be4b247fd05ac8def214b679e9f0e9218ab63
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a link farm, with a critical heuristic firing for this behavior. One of the primary external links points to a URL that appears to be part of a phishing or SEO manipulation scheme. While no scripts were explicitly extracted, the PDF structure and the presence of external links suggest an attempt to redirect users to potentially malicious content, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?keyword=ceramic+egg+cooker+recipe
    • https://cdn-cms.f-static.net/uploads/4366655/normal_5f8db537d0595.pdf
    • https://cdn-cms.f-static.net/uploads/4365555/normal_5f884769a1ad4.pdf
    • https://cdn-cms.f-static.net/uploads/4390329/normal_5f9a17e4b590f.pdf
    • https://tarirubawapub.weebly.com/uploads/1/3/1/6/131606173/374977.pdf
    • https://cdn-cms.f-static.net/uploads/4426572/normal_5f9b1d8c3f649.pdf
    • https://cdn-cms.f-static.net/uploads/4389085/normal_5f912048bad2b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.opentle.org
    • https://s3.amazonaws.com/wukevirenesu/18821265440.pdf
    • https://uploads.strikinglycdn.com/files/86b4c300-faac-47eb-a4c8-0265440e8822/kemukigaberogov.pdf
    • https://uploads.strikinglycdn.com/files/05949530-fb57-4132-b661-ecc8c2a0f1d5/sozubejefaranapamitusevuv.pdf
    • https://uploads.strikinglycdn.com/files/ef91b137-183a-4a10-a43b-afa3d56c8d59/759090786.pdf
    • https://uploads.strikinglycdn.com/files/38a96c57-3ac7-4bdf-b38a-1ac4875a41bf/benogaxez.pdf
    • https://s3.amazonaws.com/wazorixekunafob/muraxibu.pdf
    • https://s3.amazonaws.com/podawakumepewez/21391188148.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00015605.bin
6449f67896784ff96096aba6830263cf5f3424ce7326793a43e54e2e49b7ed85		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15605 18128 bytes
font_00_sfnt_off0000cf48.bin
36e24c356853a16985b4761866258f6f73d1b69c92ba6a652646d93593a5a989		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF48 7028 bytes
font_01_sfnt_off0000e738.bin
2e326a31e65994ae2b1bf2a492f2a12e243d359541c711c9dc0dc7d1b45e7a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE738 5012 bytes
font_02_sfnt_off0000f831.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF831 2656 bytes
font_03_sfnt_off00010338.bin
18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10338 2328 bytes
font_04_sfnt_off00010ded.bin
5fc9e2cd4e7ad04544edda2023dd698132b65daf167a61e09de9fd8de66d8b52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DED 2108 bytes
font_05_sfnt_off000117b8.bin
593a452f0795506ac97007ad32b21767cc543cb1bc716fd74108abb5279d52e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117B8 6640 bytes
font_06_sfnt_off00012956.bin
ccb6f5b44510fa4e53d2fedbd3a53242643e72d99392bfdf5c24dcfc3d1cfcb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12956 14372 bytes
font_08_sfnt_off00017244.bin
36e71c95d3b6602ce175a98ac99a2c18c99235fab0e24c6c46ec4ff9e72f8c94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17244 3276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.