Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d2df4ca918772c9…

MALICIOUS

PDF

79.7 KB Created: 2021-03-24 04:55:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 819227c53e1a574f56de6fa9abbb2d20 SHA-1: 56881081d2b409a42a706281aef47be987815f71 SHA-256: 9d2df4ca918772c904bafba35855c9262169ffac2530e0f4cd2547e7e47efa29
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms or phishing lures, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically identified as Pdf.Phishing.Trojan. The embedded URL points to a domain that is likely part of a phishing campaign. No scripts were extracted, but the overall structure and heuristics point to a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=control+de+calidad+definicion+pdf
    • https://wesotapaxo.weebly.com/uploads/1/3/4/4/134488604/8503529.pdf
    • https://static.s123-cdn-static.com/uploads/4402262/normal_5ff5ce97452d9.pdf
    • https://xopilujipuwoka.weebly.com/uploads/1/3/4/8/134886601/960474.pdf
    • https://static.s123-cdn-static.com/uploads/4501356/normal_60002113458ce.pdf
    • https://fopilifufisi.weebly.com/uploads/1/3/6/0/136055159/4770339.pdf
    • https://cdn-cms.f-static.net/uploads/4463565/normal_600d6b635d93f.pdf
    • http://rat-red.space/52922051573xs32k.pdf
    • http://granitmetrospecstroy.ru/best_mind_diet_apphqpqp.pdf
    • https://sekirunive.weebly.com/uploads/1/3/4/4/134404638/lugulokowoxusagoloti.pdf
    • http://expressday.online/69758180721dc9l4.pdf
    • https://cdn-cms.f-static.net/uploads/4411479/normal_601d6809b279c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://32cf4326-ba62-484c-a3ca-05d02c2dd2e5.filesusr.com/ugd/0b46e6_b197aa659999425fb4facbe6fd3f83f9.pdf?index=true
    • https://4b002d3c-a55f-42ce-816c-238f848e88a9.filesusr.com/ugd/3398cc_2308e7954abf4adabf9f4b47fbd34a79.pdf?index=true
    • https://s3.amazonaws.com/wujixus/nupukexakime.pdf
    • https://95a57b4d-a24c-4412-bd87-88f4f885d252.filesusr.com/ugd/011e4b_da1b8a14e81d40f7801f73f8713b36b7.pdf?index=true
    • https://2e03c77f-99cc-4591-9807-54d8d49c9ce6.filesusr.com/ugd/759733_3262d10654f34580aa483e2945c04562.pdf?index=true
    • https://s3.amazonaws.com/begijufadi/morukuwabigexakoresugapor.pdf
    • https://s3.amazonaws.com/folexapurilowe/luzarazoparaxeximodinek.pdf
    • https://696f1bd8-06c3-47a7-a8f7-e83e17ec8d18.filesusr.com/ugd/5ad03d_6b16e281837647fc99d27d9c8654f6d2.pdf?index=true
    • https://e0d0d77b-4c00-4265-bc22-f0cc5cf11ada.filesusr.com/ugd/957eb4_cbdb43b7fcf640e7813a1c741d4917a5.pdf?index=true
    • https://ee60c613-3dd1-430d-b711-08e3dcbf0273.filesusr.com/ugd/19ce5d_0d6b154309fb4958aa41aee766c25bee.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e47a.bin
b7576c91bd20758353abd57d14334bcce6091411f5967a5f62c0d43b920d4d5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE47A 4876 bytes
font_01_sfnt_off0000f51b.bin
c8342cae050dcb2ced7094d6d60f90aed7b7fe8890237861bf816fee981ede2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF51B 11540 bytes
font_02_sfnt_off00011a93.bin
d781c508aaf473e50263a6aabc3f4161b7fa10724c54bb8d35addee38a7f1c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A93 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.