Malicious PDF — malware analysis report

Static analysis result for SHA-256 937af6df7ddd1547…

MALICIOUS

PDF

77.9 KB Created: 2021-03-14 10:11:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08420f9ae9e6ad14feb43f9d283a3015 SHA-1: ae29350f947c3badeb233b1382d68a348a50db93 SHA-256: 937af6df7ddd15471b857f5630ffc38c79776bb10b655c5d156c37c337914c33
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for phishing or distributing further malware. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of links, suggesting a malicious intent to redirect users. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV identifying it as 'Pdf.Phishing.Trojan'. Although no scripts were explicitly extracted, the PDF structure and link farm are sufficient indicators of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=baker+street+song+alto+sax+sheet+music
    • https://sisumojixidew.weebly.com/uploads/1/3/4/3/134355683/84491e107.pdf
    • https://jabuvevakeg.weebly.com/uploads/1/3/4/6/134685488/19054335f23.pdf
    • https://static.s123-cdn-static.com/uploads/4481161/normal_6000336c61a09.pdf
    • https://tirotoperanape.weebly.com/uploads/1/3/4/3/134315774/492a6.pdf
    • https://ximapufem.weebly.com/uploads/1/3/1/4/131437784/5727966.pdf
    • https://cdn.sqhk.co/zifakepavax/RGN2OtP/how_to_write_a_proposal_for_work_template.pdf
    • https://static.s123-cdn-static.com/uploads/4402250/normal_5ffc168df19d3.pdf
    • https://sevujixosatanin.weebly.com/uploads/1/3/5/3/135316334/dde29ac01.pdf
    • https://cdn.sqhk.co/wolebiduju/tkZHigI/85897867493.pdf
    • https://cdn.sqhk.co/vemegunir/ifvilji/scp_containment_breach_mod_for_minecraft.pdf
    • https://cdn.sqhk.co/makafabakuna/Cpgjcjh/download_tiny_battleground_mod_apk_unlimited_money.pdf
    • https://kiwotatuna.weebly.com/uploads/1/3/1/8/131856308/51f4d4.pdf
    • https://bopevifobomamak.weebly.com/uploads/1/3/0/8/130814579/31145.pdf
    • https://cdn.sqhk.co/tavimuxeju/icyhiff/koloxuruxoverun.pdf
    • https://liletalezawo.weebly.com/uploads/1/3/4/5/134591830/2743671.pdf
    • https://baxelawinojiw.weebly.com/uploads/1/3/4/3/134333718/rabikatajadobuneru.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5322a53d-babf-4853-9796-6cc1b3b4f6f1/nefeburapajovufanifoji.pdf
    • https://uploads.strikinglycdn.com/files/85c77775-6be3-4db6-a615-01135c44b078/mixed_gas_laws_practice_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/c585aff3-659a-41c0-bc8d-e98367908248/history_of_the_internal_combustion_engine_video.pdf
    • https://uploads.strikinglycdn.com/files/03323f3b-1135-4510-83a5-819b570ba337/31225306236.pdf
    • https://uploads.strikinglycdn.com/files/f7a73434-aaea-4632-babe-83d80f2ab96d/70142134961.pdf
    • https://uploads.strikinglycdn.com/files/fa198994-0c84-41ff-b8de-1b3573a77518/65482982835.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f138.bin
3684bcb854d6c3d4ecf4500dd11938a9a1474acc37d52e076865cea5e9f98390		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF138 5396 bytes
font_01_sfnt_off00010371.bin
fbc8f0d84a524947af4d9a5591b46d2f25392fd447f8a9f9f73576972e85b756		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10371 11648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.