Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f9752887d711b01…

MALICIOUS

PDF

104.9 KB Created: 2021-04-01 08:52:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ba9882ca2050edf842782e7c0896f328 SHA-1: d14af0fbd9ad20668f74f4c7030a49a1158bd500 SHA-256: 9f9752887d711b01dbded93409c70c1e5c49406dd20af3fc79f86c29cd4682f5
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many pointing to PDF files, suggesting a link farm or SEO poisoning attempt. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document instructs the user to copy and paste content into a shell, a common tactic to trick users into executing malicious commands. While no scripts were directly extracted, the presence of external links and the lure suggest the document is designed to download and execute a secondary payload, likely a phishing or trojan component.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=google+chrome+os+recovery
    • https://nokavapeselodes.weebly.com/uploads/1/3/4/6/134638024/nubudavejulex-voninomukiz-tebajisokugafo.pdf
    • https://dunojezeb.weebly.com/uploads/1/3/4/5/134586234/f8837.pdf
    • http://disconto50.info/the_dead_and_the_gone_book_summaryc716a.pdf
    • http://varietystore.website/rofokapanojozowivixel38l8r.pdf
    • https://siresikewutawin.weebly.com/uploads/1/3/0/7/130739490/jokitanuxufem.pdf
    • http://trujillostacoshop.com/story_robert_mckeef8qaf.pdf
    • http://de-bewertung-id2842384.icu/rexusewuloviripunejome7f8ug.pdf
    • http://drenajkrasnodar.ru/cccam_sh4_enigma2y9hb8.pdf
    • http://idealica-italiaufficiale.website/2_examples_of_tragedy_of_the_commonsfnrqr.pdf
    • http://organize.shop/dragon_mod_for_minecraft_1._12._2ttxh2.pdf
    • https://wuginimujewege.weebly.com/uploads/1/3/4/7/134714977/luritominavixiseg.pdf
    • http://instofficial.online/106677492906sli8.pdf
    • http://idealica-italiaufficiale.website/416495071463im8y.pdf
    • http://pedrons.space/splash_mountain_disney_world_death6nx9h.pdf
    • http://dlkmvkoenv.info/someone_like_you_piano_notes_right_hand3ndnn.pdf
    • http://laithub.pro/xezitinizogatb5qj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.indictrans.org
    • http://fedorahosted.org/lohit
    • https://de99934f-f465-4d69-af5e-14f317c0a7c6.filesusr.com/ugd/4fea5c_213773212828493d9be898273a1cc3df.pdf?index=true
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_562921e3ed0b4dd78317847786a47493.pdf?index=true
    • https://s3.amazonaws.com/donarepemi/rexuzatemarumefojaxujel.pdf
    • https://s3.amazonaws.com/figugipopar/basic_electronics_notes_free_vtu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff8a.bin
aff583a3d8c375971eb38efa8c3cbdac2b12dccfae0f89c9a897f3a266b0853d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF8A 5196 bytes
font_01_sfnt_off00011121.bin
600754522a0f3c4df87f3d94aca4fa782d3d83ce62ba2098363e3ac9d1c963a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11121 13392 bytes
font_02_sfnt_off00013a3d.bin
7f4c89dad21154c95f85baede2448595051a38a94bf04f5b4590135a805bb1e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A3D 4720 bytes
font_03_sfnt_off00014924.bin
fd39e93d29d282fcbdbb0d271b9541ecd55b731c2d9969c667f71762fa3c705f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14924 11564 bytes
font_04_sfnt_off000170e6.bin
483a1ed1b24ed7e37cbfe2ddc1503f5775f9d70777e0ab31dcf74ca1c7dcf921		 pdf-font-stream PDF embedded font (sfnt) at offset 0x170E6 12040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.