Malicious PDF — malware analysis report

Static analysis result for SHA-256 a320944af00027e9…

MALICIOUS

PDF

113.0 KB Created: 2021-04-27 16:05:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1cdd2c419a0280c4d51d0d7f036b709a SHA-1: d73b50dd416adcbfd86ec364d8bed6bcdd22e2a8 SHA-256: a320944af00027e942345f751e63db814cd7577ba545ef43ab087f32f4887405
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are obfuscated or lead to suspicious domains, indicating a link farm or phishing attempt. The heuristic 'PDF_SEO_LINK_FARM' and the presence of multiple unknown reputation URLs strongly suggest malicious intent. The 'SE_INVOICE_LURE' heuristic further supports the phishing pretext. While no scripts were directly extracted, the PDF structure and numerous external links point towards a downloader or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+to+write+a+commission+agreement
    • http://bifixofunoxov.iblogger.org/korilukigedebemomu.pdf
    • https://cdn.sqhk.co/xovinexesun/aahdKhj/sugar_heroes_world_match_3_game.pdf
    • https://cdn.sqhk.co/xedogigiloli/jgpWhgB/kovup.pdf
    • https://cdn.sqhk.co/pakelabete/bevJhhw/colors_of_the_rainbow_religious_meaning.pdf
    • https://cdn-cms.f-static.net/uploads/4381740/normal_601a201b388b8.pdf
    • https://cdn-cms.f-static.net/uploads/4388627/normal_6064c4641131f.pdf
    • https://cdn.sqhk.co/lokabawopup/ege1nNq/fenapirofufo.pdf
    • https://cdn-cms.f-static.net/uploads/4495040/normal_604ca9869f0f1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d23eb412-52e1-45ef-a32a-0c032022daee.filesusr.com/ugd/03485a_cfa1ef92c0ba4b84a0165f91ad167d82.pdf?index=true
    • https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_14a253f3727140a4905eb1292268a94d.pdf?index=true
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_ffd826cf4abd44aab255e60a1b2c7c5c.pdf?index=true
    • https://357b8bef-7330-4cfe-b31d-389db25c4d5a.filesusr.com/ugd/4c76bf_042b73c2f53a488089d63b1175a87c85.pdf?index=true
    • https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_209101b669c84a5384f766e66039f75a.pdf?index=true
    • http://topadut.epizy.com/adjectival_phrases_worksheet.pdf
    • http://zunizififuve.epizy.com/hoedown_from_rodeo_violin_sheet_music.pdf
    • http://xekokopadupino.rf.gd/mathematical_physics_by_hk_dass_free_download.pdf
    • https://uploads.strikinglycdn.com/files/f5f21880-3051-45a2-9874-d2e3002bb6c4/how_to_measure_understanding_in_research.pdf
    • https://09af0a6c-c0e6-47ff-90c1-5b173435ccd1.filesusr.com/ugd/b92b66_f43c726f52514040a947269f1f11a98a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/61518bc3-ff90-40f4-8f84-857ee9f8ad62/a_series_of_unfortunate_events_movie_free.pdf
    • https://uploads.strikinglycdn.com/files/73cd8da1-1d8e-4a32-bcc6-9078f958214e/zilofovexabifudot.pdf
    • https://uploads.strikinglycdn.com/files/ed3991ea-3d44-4899-be5a-73658373f9bc/specials_scott_westerfeld_summary.pdf
    • https://uploads.strikinglycdn.com/files/0ff1e880-7ece-47e2-a875-f5d3c8bd9a8b/bilunasegoxitifiluximeme.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017c08.bin
7602899acf57ab1728335194639d7318090f48bf35b9d663af45c5eb07e2e2b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C08 5140 bytes
font_01_sfnt_off00018d7a.bin
4b119ead12efa83465642c95fce670831272b5a68efced0ce7acc0ce59d4f1d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18D7A 11512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.