Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c7034a66620ea7c…

MALICIOUS

PDF

72.5 KB Created: 2021-03-26 17:40:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc1e53c69497cfd5fc6468c2676e715e SHA-1: 2cda8b0d583f4b580ba812c8af6fa9e641671c15 SHA-256: 9c7034a66620ea7c98523f8a75dd190eccea176abdd26f4f4126105e34d3bac2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a technique often used for SEO spam or phishing. The heuristic PDF_SEO_LINK_FARM indicates a large number of links, and one of the primary URLs is associated with a keyword search, suggesting a lure. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. Although no scripts were explicitly extracted, the PDF structure and embedded URLs strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=risk+management+pdf+in+banks
    • https://tapebosipufadiz.weebly.com/uploads/1/3/4/3/134366988/wunajesaninor.pdf
    • https://kafiwixuvaso.weebly.com/uploads/1/3/0/8/130874495/91411919914.pdf
    • http://philonio.online/formal_lab_report_example_physicslxr2h.pdf
    • https://sevirisedug.weebly.com/uploads/1/3/6/0/136089940/7076bed7b52.pdf
    • https://gitexapovaje.weebly.com/uploads/1/3/4/4/134464395/darokite_zibenuzudud.pdf
    • https://noginoludaven.weebly.com/uploads/1/3/4/3/134374582/6127458.pdf
    • https://rogusedi.weebly.com/uploads/1/3/4/4/134433103/9fe12.pdf
    • https://mabaxezo.weebly.com/uploads/1/3/4/7/134766945/5746986.pdf
    • https://pofifeluvoka.weebly.com/uploads/1/3/0/7/130739131/niweduwi-ditomiwe-busatelexel.pdf
    • https://jerigarapo.weebly.com/uploads/1/3/5/3/135327201/gofupunebule-rujuwag-juxezuk-tadavesixusajo.pdf
    • https://bifotuvimutojuz.weebly.com/uploads/1/3/0/9/130969437/171fdb7938961.pdf
    • https://babotiditufo.weebly.com/uploads/1/3/4/6/134694550/kowugugifolo_totamaw_nojosupamikofol.pdf
    • http://creditreportfast.info/465933377138ksgu.pdf
    • https://zuvimetuna.weebly.com/uploads/1/3/5/3/135304981/losuvologatere_xitej_sibozatu_fozukegusix.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_a2363d528e484603af2a17218c7d7288.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1e2d5a89-c077-4c72-b5d8-1439cba7c668/crochet_blanket_patterns_for_beginners_youtube.pdf
    • https://1de4b56a-3309-4767-83a2-f1bb1ea7c594.filesusr.com/ugd/a6e5e9_ef92ea94ed13413a90d32f10d11bfdcf.pdf?index=true
    • https://4f0754e2-f0c4-47db-826b-83042027646c.filesusr.com/ugd/7a11b0_87d8a23832074861b34c949c36ac3f4b.pdf?index=true
    • https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_79ea398518104ad1b62534f75051df3b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/71f96869-50af-4d98-aaad-08f72c9b7b9c/critical_thinking_book.pdf
    • https://uploads.strikinglycdn.com/files/61c25b41-70c0-4dda-871d-af7ec67f60f3/34060898940.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deec.bin
2daa2fc4f942dff65f97b42d5de28e37b40b9ce17735ad1e307515aefaacccd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEEC 5444 bytes
font_01_sfnt_off0000f16a.bin
93080243af3efc54eb94468880c28abe37471f7ea12e6a57c6842403bd81a639		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF16A 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.