Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e842047d81c8b83…

MALICIOUS

PDF

85.5 KB Created: 2021-03-17 00:07:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5b2de771b730dd2c374d9f0b41c885b SHA-1: 9ef5699ee155b57a5605eb3841c0c5a0ce158f2f SHA-256: 9e842047d81c8b83f49302d2c7578096acca6f5224f57447e834ff089d9127a6
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains numerous embedded URLs, many of which point to disposable hosting or link farms, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=hindi+varnamala+chart+with+pictures+pdf+download
    • https://cdn-cms.f-static.net/uploads/4503767/normal_6050326f84716.pdf
    • https://cdn-cms.f-static.net/uploads/4381536/normal_5fea0bfb50657.pdf
    • https://tegedibinatamam.weebly.com/uploads/1/3/5/3/135350324/difazelevitogokozeje.pdf
    • http://vadinesejel.22web.org/23160080395.pdf
    • https://vumorusumanipav.weebly.com/uploads/1/3/4/2/134234742/budaxamezepudap_medovu_tarisupud.pdf
    • https://cdn-cms.f-static.net/uploads/4416929/normal_60300e169b2dc.pdf
    • https://wijuzibodeba.weebly.com/uploads/1/3/0/7/130738798/5358213.pdf
    • http://twenty-promo2020.ru/beverly_hills_ninja_movieqjs67.pdf
    • https://mivojunap.weebly.com/uploads/1/3/4/7/134720575/a34f753.pdf
    • https://static.s123-cdn-static.com/uploads/4484610/normal_5ff949bea0e2c.pdf
    • http://national-verifyteam.com/puneladedukilufapobulej3lr7v.pdf
    • http://repair-monokoles.ru/plane_controls_for_pcscvox.pdf
    • http://trylait.pro/ladefadibapoxixezroqou.pdf
    • http://minilikaru.iblogger.org/bastard_game_guide.pdf
    • http://myluckywin.site/dungeons_and_dragons_players_handbook_usedt86uc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • http://zipavisaxa.epizy.com/how_to_factory_reset_samsung_c460fw_printer.pdf
    • http://jerofob.epizy.com/nafusojotugajebupagi.pdf
    • http://xidomuxi.rf.gd/how_to_refill_ink_epson_2720.pdf
    • http://laneneloko.epizy.com/mp_rojgar_nirman.pdf
    • http://jegafat.rf.gd/swiffer_wetjet_not_working_with_new_batteries.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dad5.bin
6edac0df8aca25c965cf99262700983d175cfdfa05d52bd0fa95fb374dd4c735		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAD5 5388 bytes
font_01_sfnt_off0000ed05.bin
8f77be7688429383c5c2c61ea5929111fab7680d9c7db028604097089c1586bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED05 10524 bytes
font_02_sfnt_off0001111d.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1111D 4324 bytes
font_03_sfnt_off00011f1e.bin
1b49d237a3787cedbeae239b15f1655e6a31038e682812012bda9efedacd2d28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F1E 14244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.