Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c2301b0e1468d71…

MALICIOUS

PDF

67.9 KB Created: 2021-02-24 06:59:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 6f564a2b0c0c7b74e2fc907301b53372 SHA-1: ba369d99288447ca888ba78131e98060fd2b9335 SHA-256: 9c2301b0e1468d7148eeddb73984893921d27a758f1abd7c27a9409b3248f2ab
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file exhibits multiple indicators of malicious activity, including brand impersonation (USPS) for credential phishing and a large number of external links, suggesting a link farm or distribution mechanism. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware delivery. No scripts were extracted, but the presence of numerous URLs and the phishing lure point towards a malicious document designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://tobevasisutigi.weebly.com/uploads/1/3/0/8/130814636/1126627.pdf.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=whitney+young+address PDF link annotation
    • https://tobevasisutigi.weebly.com/uploads/1/3/0/8/130814636/1126627.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465702/normal_5ff1f3e67fc51.pdfIn PDF document text
    • http://pemutoguxo.66ghz.com/is_python_programming_free.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465703/normal_5fffb182aee43.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4487431/normal_60182ea371114.pdfIn PDF document text
    • https://zafatuxowusetex.weebly.com/uploads/1/3/0/7/130739053/xidusivetogetul.pdfIn PDF document text
    • https://balesiloruj.weebly.com/uploads/1/3/4/6/134671801/revinerax-meloma-rerudenolaj.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376875/normal_60000a580c14c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380076/normal_5fe4b2bdc6cea.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475737/normal_5ffa24a6d469e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417429/normal_5fc79593a39c2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jotizifime/kallyas_template_themeforest.pdfIn PDF document text
    • https://s3.amazonaws.com/jinabisura/46944144886.pdfIn PDF document text
    • https://s3.amazonaws.com/zizene/answering_tell_me_about_yourself_medical_school.pdfIn PDF document text
    • https://s3.amazonaws.com/popisiburewixuj/39981503122.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce25.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE25 5168 bytes
SHA-256: 92da74d1e4f69a456aa1b1246448367d062227ef4e2ecc3433645729cdbf7269
font_01_sfnt_off0000dfcb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDFCB 10388 bytes
SHA-256: 8a06547d0352423ef1b8296d89982682510ce0e59666256ae544b0adbcf15cd0