Malicious PDF — malware analysis report

Static analysis result for SHA-256 9617cca66cf24e93…

MALICIOUS

PDF

81.6 KB Created: 2021-03-19 09:59:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72ee040b4415e7331a5447346c54bae5 SHA-1: 7e3b3a7206d23f95e2c89ea9efccb6eec5c8c29c SHA-256: 9617cca66cf24e93a755e26510e7fef6896daffd32e78c89f16d00c7a4fbdeb2
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many of which are likely part of a link farm designed to distribute malicious content or conduct phishing. The 'SE_CALLBACK_LURE' heuristic suggests a potential for callback phishing or tech-support scams. ClamAV detection and ML classification confirm the malicious nature of the document, indicating it likely exploits vulnerabilities or tricks users into downloading further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/aws?utm_term=coleman+string-tie+lantern+mantles+%252321+-+2+pack
    • http://uaportal.site/aflatoxin_m1_in_milkatpzd.pdf
    • https://cdn.sqhk.co/gonolesuzam/gqgidie/md_emu_free_roms.pdf
    • https://cdn.sqhk.co/xibetevoxaj/fojb4z6/occupation_2._5_apk_mod.pdf
    • http://vkysnaya-eda.site/14266794652qyudm.pdf
    • https://cdn.sqhk.co/kezomerameki/dpLv3FY/899101605.pdf
    • https://cdn.sqhk.co/dibitarebizu/hfluigW/dj_bass_booster_and_equalizer_2020_apk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lubaxekivixoze.rf.gd/pelamonepizen.pdf
    • https://f421159b-d329-41e8-bc42-072bc93e4c50.filesusr.com/ugd/65d6f7_cd1b821496b3473a929e5bf7c9885805.pdf?index=true
    • https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_3bd3ba3d5eeb49a5b993326c53f2cbfe.pdf?index=true
    • https://882e4f53-a7e1-4d4a-89e8-a6e6d9f9b805.filesusr.com/ugd/9a13d2_8f87476a040a431aa0e0d9a04bd9bdbe.pdf?index=true
    • https://488a161d-122f-4e25-b35e-34d1d0e27b34.filesusr.com/ugd/bbc910_cf2d375d7dcb4cbf957b2a45b9e7f39d.pdf?index=true
    • https://2c91b947-1dd8-401e-ae91-d595f2f75867.filesusr.com/ugd/0af078_3725d236f3904524bd2ce77e1e4c4212.pdf?index=true
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_cd462e4c2fd142b5b9e8d68253fc1eda.pdf?index=true
    • https://f0198b83-f3fe-41b4-8315-bacd7eabb238.filesusr.com/ugd/2b3f46_22175dd4f76840dc8eee73f9f068914c.pdf?index=true
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_a5c4fbac2d9b47bdb005bd8e3d9d4547.pdf?index=true
    • http://vubixegigag.rf.gd/pakodebefo.pdf
    • https://56db2a4d-09ce-4ff6-a558-abb1d6727cd4.filesusr.com/ugd/003b86_9af95bf1f47c49d4bccd92101e852257.pdf?index=true
    • https://dae57379-2785-4108-a223-4562ecbfc22e.filesusr.com/ugd/87ad98_97bd95e156a14733a1042338ed03297a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010158.bin
9c617d47d96e93be296acb1a66e714892750b36ba20c1960555ea009100836bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10158 4944 bytes
font_01_sfnt_off0001120d.bin
67818baad3b6951102135776188dbdaeb28a487963049ff79de8211a1c61e80c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1120D 11144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.