Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c1c3653c74f3dc6…

MALICIOUS

PDF

104.1 KB Created: 2021-03-01 14:11:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 2c139c024a2c38a01fcdb0d20243c939 SHA-1: 3c9271a27b1a597f31c13f0e8d510ccba150280c SHA-256: 9c1c3653c74f3dc6405418bfbf5f31d7ce6f67ee61111d114171d66251b5f581
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing indicating a link farm and an embedded URI pointing to a suspicious domain. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. Although no scripts were directly extracted, the PDF structure and embedded links are indicative of a phishing lure designed to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=imaginarium+polar+express+train+set+instructions PDF link annotation
    • https://dalokagamamis.weebly.com/uploads/1/3/4/6/134695183/mesopirasenupof_bamiramapewidi_rosizonudavupid.pdfIn PDF document text
    • https://kawapojironene.weebly.com/uploads/1/3/1/6/131637385/dakatafi.pdfIn PDF document text
    • https://kelabuwak.weebly.com/uploads/1/3/4/0/134098394/567c91b4d922.pdfIn PDF document text
    • https://botamelojobowi.weebly.com/uploads/1/3/5/3/135344227/viboz-wibisadoni.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383804/normal_5fed50bb10ee5.pdfIn PDF document text
    • https://luwumevawosa.weebly.com/uploads/1/3/5/3/135322316/697b043517705c7.pdfIn PDF document text
    • http://siwivelijutore.medianewsonline.com/enron_scandal_newspaper_articles.pdfIn PDF document text
    • https://banatili.weebly.com/uploads/1/3/5/3/135314160/mezigafit-lawalanoto.pdfIn PDF document text
    • http://figimumagoko.mygamesonline.org/the_little_sas_book_6th_edition.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/nolarifaforuxop/antrenmanlarla_matematik_1_zmleri_indir.pdfIn PDF document text
    • https://s3.amazonaws.com/sezewu/a_little_good_news_sheet_music.pdfIn PDF document text
    • http://rabatelekovufar.myartsonline.com/fisher_paykel_cool_drawer_canada.pdfIn PDF document text
    • https://s3.amazonaws.com/poresi/if_else_in_oracle_rtf_template.pdfIn PDF document text
    • https://s3.amazonaws.com/wovitiku/30488870277.pdfIn PDF document text
    • https://s3.amazonaws.com/fifomi/mhr_math_textbook_grade_8_answers.pdfIn PDF document text
    • http://jatoxat.atwebpages.com/pikepafo.pdfIn PDF document text
    • https://s3.amazonaws.com/gedesisumi/gejezutafobamufomudapoje.pdfIn PDF document text
    • https://s3.amazonaws.com/zarusegibitumet/how_to_put_the_phone_on_speaker.pdfIn PDF document text
    • https://s3.amazonaws.com/rekorewexidiwo/is_there_a_harry_potter_video_game.pdfIn PDF document text
    • https://s3.amazonaws.com/rodiligarexo/sekaladera.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011565.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11565 6816 bytes
SHA-256: 95783c8e0e9b71dc37f6e9a82ca5508809c10b4a977df5a06bbeed3bd4984f1c
font_01_sfnt_off0001268d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1268D 5256 bytes
SHA-256: 79c75f3506eb14a0becc88cead41c05795620a83a890f9913bf70e62f015c9da
font_02_sfnt_off0001381c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1381C 6364 bytes
SHA-256: 707b9eb8074dc54a9393a448815126b1beba9cd8b6d81436df54c5a8ac447d22
font_03_sfnt_off000147b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x147B0 15880 bytes
SHA-256: cc4657e4a309d0b2f2b342af2bd8805d7fac3d062daee4e3e7f8745bfdabbd8e
font_04_sfnt_off00017a07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17A07 16648 bytes
SHA-256: 3d75f0d49d8cc34d99ddef83fc4b5efe09384dfb907d865eb87a913a87b5f194