Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ddde93eac4ddfd8…

MALICIOUS

PDF

75.2 KB Created: 2021-03-18 04:30:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 34cbac59e0ee9dfaadc42e7e161dfc1c SHA-1: 7cea69b8c8a1b8b0440d8f073aa78428007ae870 SHA-256: 9ddde93eac4ddfd8ede7c926926e09642a5b6977e4545c51cc0417c3f3a6c271
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to phishing sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs suggest an attempt to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=juzni+vetar+ceo+film+online+stream
    • https://cdn-cms.f-static.net/uploads/4393363/normal_604d11c295366.pdf
    • https://static.s123-cdn-static.com/uploads/4466673/normal_5fcf16bfbeb4c.pdf
    • http://fojekoxezosuko.22web.org/what_is_road_cross_section.pdf
    • http://lukufogud.getenjoyment.net/tim_ferriss_jim_collins_show_notes.pdf
    • https://cdn.sqhk.co/xolafunodo/jaSibhg/12938920028.pdf
    • https://cdn.sqhk.co/gadewekunel/jja0jjQ/unicorn_comics_funny.pdf
    • https://static.s123-cdn-static.com/uploads/4465914/normal_60050479e57ce.pdf
    • https://cdn.sqhk.co/mofipife/hcmAgfi/spray_fast_stencil_art_tutorial.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://979cd01f-16ea-4d2c-b189-234964c95597.filesusr.com/ugd/d4c4cf_f2fa435864e3474395ad47ecf443eb54.pdf?index=true
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_dd48866dad8844c8ba4c4c42c61d6c8a.pdf?index=true
    • https://b1b1ed1d-a631-407f-b8a0-2f609481a9c2.filesusr.com/ugd/3e5895_b19a399f55b34dc49f5c5ad7989ae73d.pdf?index=true
    • http://dowuvoduwitovos.atwebpages.com/chrono_cross_strategy_guide_download.pdf
    • http://baxonifegep.rf.gd/kafaledorefovegumiregawad.pdf
    • https://76a725e8-946c-4ae9-9249-cda469d35108.filesusr.com/ugd/83c8cc_ac338be6edb9487c9dfd2cdf34e044b5.pdf?index=true
    • https://f770b3d7-c897-40e0-9323-5ad0abd91552.filesusr.com/ugd/1fa6dd_8df5401167a64d368eb27278c84368d5.pdf?index=true
    • https://86a6be6f-1c3f-48a2-98e5-8a654ddc1212.filesusr.com/ugd/027f51_c1e8760332334d81a8c160ca5557dcc0.pdf?index=true
    • http://zagupijalixi.myartsonline.com/radio_shack_pro_94_modifications.pdf
    • https://b32521b7-32ca-447e-9967-d27d0dce683d.filesusr.com/ugd/800b88_0aef2af2758142a68b7b0b57104829a7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e788.bin
181f5b86d707eb8387725517be34e6d0026aa02c817afeb986300e097a86faca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE788 5124 bytes
font_01_sfnt_off0000f8f6.bin
0fe53f0f2cdc1cea57be04b33ec96d7e6d04166888f7d35aeff06f9417aa9c15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8F6 10708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.