Malicious PDF — malware analysis report

Static analysis result for SHA-256 93ccbd9c561cb8cd…

MALICIOUS

PDF

79.5 KB Created: 2021-03-08 23:31:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a483f0a75025cf74052409bbffc5803 SHA-1: ea7e362c56cb68007b8be58cf06fe42710446d81 SHA-256: 93ccbd9c561cb8cd0729e460895aaa5453f3f34a70706d8f17656973fcf55838
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, identified as a link farm, suggesting a malicious intent to redirect users. ClamAV detected this as 'Pdf.Phishing.Trojan', and the ML classifier also flagged it with high confidence. While no scripts were directly extracted, the presence of numerous external URLs and the phishing detection strongly indicate a malicious document, likely used as part of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=operacine+sistema+android
    • https://cdn.sqhk.co/xaduwudixum/f4ghcig/free_water_parks_open_today.pdf
    • https://cdn.sqhk.co/bogonelemid/w60ieyj/stay_alive_game_download_pc.pdf
    • https://cdn.sqhk.co/jegamaxegev/ajhtnhb/dufuf.pdf
    • https://cdn.sqhk.co/gotakavapu/gjwhghi/nitopi.pdf
    • https://cdn.sqhk.co/xogixute/hhGghOD/easy_approval_payday_loans_for_bad_credit.pdf
    • https://cdn.sqhk.co/nuzitomizaj/icibjew/hangman_with_hints_online.pdf
    • https://cdn.sqhk.co/ditutafewaw/hcUsT8t/mazuwubuxadavat.pdf
    • https://cdn.sqhk.co/kimejijomaki/Vijigig/31073954079.pdf
    • https://cdn.sqhk.co/kikolibub/sxgg0gf/dunkleosteus_ark_size.pdf
    • http://defupezive.iblogger.org/26217449696.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://82cb18f6-4a40-4824-ac11-10070f72ce02.filesusr.com/ugd/5aec95_ab0b958e19324689b6bdf148375eae0b.pdf?index=true
    • https://s3.amazonaws.com/xozeb/77771516274.pdf
    • https://s3.amazonaws.com/wixanarer/47580796432.pdf
    • http://sokagozu.rf.gd/bocio_tireoide.pdf
    • http://jimanujomubil.epizy.com/36701805264.pdf
    • http://toxebejoni.rf.gd/made_to_stick_book_club_questions.pdf
    • http://mexawuzemogo.epizy.com/how_to_train_for_forklift.pdf
    • http://wisotoginiso.rf.gd/who_was_rousseau_and_what_did_he_do.pdf
    • http://xafegewoweli.epizy.com/noc_format_for_account_opening.pdf
    • https://s3.amazonaws.com/besafefaf/acrobat_vip_license.pdf
    • http://zavinawotomuvef.epizy.com/ap_chemistry_practice_test_1_answers.pdf
    • https://6cdb29d4-22ce-4aaf-9e51-562b59d50851.filesusr.com/ugd/1b20fb_d655313c73e94324bfe26c68ea4652bd.pdf?index=true
    • https://7e079b21-6cfc-4bbc-a8af-001f4930a7f2.filesusr.com/ugd/f66805_e5225d0f485544ce9435b7af003c6f62.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eab7.bin
43027eb0da1dcea653a6459033e2005c63b4c2a410cbe82f0e89e9f756f564ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB7 5000 bytes
font_01_sfnt_off0000fb93.bin
aa1ed625ce82e5ef5417f5597b5c2a801f7a133f38b06ae0fc8468a21e88e92a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB93 12164 bytes
font_02_sfnt_off000120b7.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120B7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.