Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b7c7a3a5e954e2b…

MALICIOUS

PDF

77.9 KB Created: 2021-03-22 12:45:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dcb0cd04b75af18632110633424ad93d SHA-1: b456292cf83b690146c2df01d7620f4b175f0eb7 SHA-256: 9b7c7a3a5e954e2bc895976f1273e15f84de56a8db8a74b5bca88b92fee85d75
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are part of a link farm designed to appear as legitimate download resources. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests a common tactic to bypass security scanners by encrypting a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=dictionary+arabic+to+urdu+free+download+pdf
    • http://casbah2point0.com/hydrolysis_constant_of_aniline_hydrochloridem1x70.pdf
    • https://nobezowav.weebly.com/uploads/1/3/4/4/134461072/652b4b15481.pdf
    • https://jatufabafalili.weebly.com/uploads/1/3/1/6/131637938/xirivanep.pdf
    • http://mitutepoka.medianewsonline.com/bidesobibomuguposavevig.pdf
    • https://static.s123-cdn-static.com/uploads/4418565/normal_5fde1f60df6f8.pdf
    • http://gejokakop.mygamesonline.org/search_engine.pdf
    • https://vamabeloketofip.weebly.com/uploads/1/3/4/3/134344852/suwixapitam.pdf
    • https://dapunilak.weebly.com/uploads/1/3/4/5/134506399/5047577.pdf
    • https://cdn-cms.f-static.net/uploads/4454671/normal_603136397a836.pdf
    • http://tometifo.getenjoyment.net/arduino_starter_kit_manuale_italiano.pdf
    • https://cdn-cms.f-static.net/uploads/4453328/normal_601f995ed3a36.pdf
    • https://kukotefuses.weebly.com/uploads/1/3/1/6/131637352/9932052.pdf
    • http://yeswins.space/17452298903dd8sf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/95a14bed-96b7-4d45-a96d-8ce2530fe1ee/fiwigenuzugedodapixigalu.pdf
    • https://uploads.strikinglycdn.com/files/22375ac3-5afb-4ed3-8cbe-2d840e0439ac/losakawaka.pdf
    • https://3175e58c-9db9-4d87-bcb9-15e03531d93d.filesusr.com/ugd/c93210_fd4f7cdad08c4b8483cec5c0147dc775.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fad8d2a9-e16e-44f8-bdcf-57786d1b36ca/geronimo_stilton_saison_1_episode_5.pdf
    • https://uploads.strikinglycdn.com/files/c5c8ab2f-9f41-4e0a-9576-33b194a9a4b7/53490800756.pdf
    • https://uploads.strikinglycdn.com/files/d2021a99-89a7-4316-98ed-658f8e69adca/74705707646.pdf
    • https://76bf42c0-7447-45ed-8dd3-33f9786ae3ae.filesusr.com/ugd/ba2c19_45f3be0549a44a62ad6c7d5bac090cee.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7cd.bin
f8f1afdbfec8b15c2aab09149f52e5ec6022ad5a6dd5acb72ae0f13e15d98ccf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7CD 5304 bytes
font_01_sfnt_off0000ea04.bin
9c1e0c862a8107b61e58ae78d18807a77ee6bb79e2ef1695a64cd1e60266b643		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA04 10424 bytes
font_02_sfnt_off00010dde.bin
47ba3c71a5e2cfa2d6703285fe1128407d33a2c3e3608250a26c31f2fb8c9e9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DDE 17568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.