Malicious PDF — malware analysis report

Static analysis result for SHA-256 9790819813d4250f…

MALICIOUS

PDF

79.2 KB Created: 2021-03-22 23:49:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 685c96392b4ae143ea46872c48cbef32 SHA-1: 6fcd23c8d2f2269974d01b244356fe279f1ec022 SHA-256: 9790819813d4250f04d8dcc15883d4c3fdf9dcd63b2973fd32d5bb761334aeb1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. The PDF contains a large number of external links, suggesting it is part of a link farm designed to manipulate search engine results or direct users to malicious sites. No scripts were extracted, but the presence of numerous external URLs is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=sony+xperia+manual+camera
    • https://cdn.sqhk.co/lesasafo/geiaHeQ/nazisu.pdf
    • http://pafunote.iblogger.org/ruvoketep.pdf
    • https://dogusomuribe.weebly.com/uploads/1/3/0/8/130814063/talulo.pdf
    • https://jiparebifipi.weebly.com/uploads/1/3/4/6/134638028/2578241.pdf
    • https://lipodemofuxe.weebly.com/uploads/1/3/5/3/135316225/xiluzevom.pdf
    • https://vuginavoji.weebly.com/uploads/1/3/0/7/130775358/fisikus.pdf
    • https://cdn.sqhk.co/neviragar/DjbAgfQ/nostalgia_critic_titanic_tv_tropes.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3e1af3dc-cf37-4f58-935d-0a6065bc5ce9.filesusr.com/ugd/3ca236_db6186527bc445b7a9c6f3582343acc7.pdf?index=true
    • https://945b3f91-9c76-4178-be32-f0dab3cfe2c6.filesusr.com/ugd/8d5d69_3aa10e722ed741ab9dd6968c194106ec.pdf?index=true
    • https://cb6d8354-940b-4e05-9f1d-0150973ab277.filesusr.com/ugd/882da0_31e0319283814efb854f4785b85f62ef.pdf?index=true
    • https://7a9095e9-4ba3-4ff7-9406-a75d0382ce8a.filesusr.com/ugd/db93e9_0f37b3397a65403e95a113c347bd3b9e.pdf?index=true
    • https://35548484-ce42-4b18-9d9d-834326683263.filesusr.com/ugd/a221b6_cf3ccd2c54ae4ad6a47243a111a03296.pdf?index=true
    • https://6e345194-e688-4037-aa24-2ff230a16836.filesusr.com/ugd/ce9fe1_702a224971b04b8281e5953a48954c14.pdf?index=true
    • https://4ec63ec4-77bf-4499-900e-7c522af20654.filesusr.com/ugd/35bdb9_fdadb1667aca458e9a73d44de311a5b4.pdf?index=true
    • https://3465328d-eb21-4af5-a94e-b8fdacefaafa.filesusr.com/ugd/c63bf9_51cf7d13a5214d62af87c56627ca93f2.pdf?index=true
    • https://acfcda0b-1795-4b40-aedc-9a0bc13047ce.filesusr.com/ugd/89c6ad_65055f3db37843cdb80ac44b10b39701.pdf?index=true
    • https://34fef40c-4934-4c56-b24d-59915ed92566.filesusr.com/ugd/806295_704c5a3829394226afcd4742a35c572c.pdf?index=true
    • https://b1e6e3cd-24a2-426a-8b7d-e8f4bd81915b.filesusr.com/ugd/83e584_b9a9559219ad4f01a0dc48ede8d5c5b5.pdf?index=true
    • http://fegatiteberev.epizy.com/14231920863.pdf
    • https://02408c19-b9f6-4996-a596-1d5b7e46c8d3.filesusr.com/ugd/c83fdb_830a3dfaffe0457c8a1b9ec5a0ed4bcb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3fc.bin
2271dcbc13ff6793365da676a6ac43eabc2720b6d208958016b3a2b97cf4b938		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3FC 5176 bytes
font_01_sfnt_off00010590.bin
ed5768054edd39bcc1db0cf419b76cada4cf1024b290b14449f693bc8967464e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10590 13096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.