Malicious PDF — malware analysis report

Static analysis result for SHA-256 a600025c4ef3b235…

MALICIOUS

PDF

124.4 KB Created: 2021-03-09 17:31:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e561fadfbb328a1a9efc85fac901c33b SHA-1: 710a73c355bd72e14d57907339060947c98a2c61 SHA-256: a600025c4ef3b23570dcf1de2089853373f8a7410cfe96a8bb358f415d4804dc
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files, indicating a link farm designed to distribute malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely for phishing or malware delivery. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests that the document may also instruct users to decrypt a payload, further supporting a malicious purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=baltasar+y+blimunda+pdf
    • http://xtrading.buzz/51976792730bsfcw.pdf
    • http://policyhelpcenter.com/2._2_even_and_odd_functions_worksheetwm2fm.pdf
    • http://nigma24invest.online/top_south_african_house_songsr07pn.pdf
    • http://lnstagram-helping-centre.com/ganezomupumegivonuzodotucqwmr.pdf
    • http://4gusevshop.website/86914373705yt12o.pdf
    • http://rasprodavaika.ru/35780401460uev8j.pdf
    • http://mesretly.xyz/535242050965im3v.pdf
    • http://peskomment.ru/xokumuwetidaxewotomor0sld.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://wemosoxa.rf.gd/champ_bengali_song_mr_jatt.pdf
    • https://s3.amazonaws.com/girilifawuxi/zopuditodawa.pdf
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_43929328a794417e9ec6181ad773729b.pdf?index=true
    • http://xenemusexo.epizy.com/the_compound_effect_bangla.pdf
    • https://85ed388a-52e0-4e79-9737-9d4b769dda71.filesusr.com/ugd/bb10c5_6451e2f3a9314163bc0f049433b4fa19.pdf?index=true
    • https://6b9ff03a-ef48-417a-a14c-919df0f903d0.filesusr.com/ugd/f459ea_0592bfa08ce04e8494c20a9aaad58bb2.pdf?index=true
    • https://cf336f9a-6a79-4542-9269-5b62d6eb69dd.filesusr.com/ugd/1daf83_eb33bf23913648ceadca704dadb5e5ec.pdf?index=true
    • http://gumavefuve.rf.gd/gujovafebusuxemeju.pdf
    • https://s3.amazonaws.com/dejolavubukugeb/bose_soundbar_universal_remote_manual.pdf
    • https://9e269ae7-c3cf-4b9f-bde2-1d9be064b7bf.filesusr.com/ugd/139869_26241f2604ba46da80aa99b02735a355.pdf?index=true
    • http://vomemozasaz.rf.gd/55106125759.pdf
    • http://lobosebaj.rf.gd/sonata_pathetique_adagio_sheet_music.pdf
    • https://068ba8bc-08b0-4b68-8151-f3c59c7a5775.filesusr.com/ugd/5a4aad_e534a61cb3dc462bbd4283edbc43c2cd.pdf?index=true
    • https://ea64ff4c-51e6-4efc-8cc1-399682447901.filesusr.com/ugd/961f18_c7d5af4fbbbe43408e953436f1676d50.pdf?index=true
    • https://e3055f73-6236-423b-b810-4bc1a15f300f.filesusr.com/ugd/fa12d1_3466b862c2774317a792308b7192f247.pdf?index=true
    • https://7c8f45b7-e058-4e27-bccd-8ee7dcb26900.filesusr.com/ugd/d5cf39_b1d2c3373f1e46e48ef17756abb93f72.pdf?index=true
    • https://16012499-1299-48b0-8cdd-5f23a7749958.filesusr.com/ugd/fafc38_ec77555932f340318d776b8f9948abe4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017fc6.bin
048fb1891f432488516cd811e7b04d68e7d39e548ca3495625137f8fb0c23ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17FC6 6744 bytes
font_01_sfnt_off000190ab.bin
5568cdfa5aa5ee10d955309edbcc31d3331892416011cf5701d1280b1a06b733		 pdf-font-stream PDF embedded font (sfnt) at offset 0x190AB 5480 bytes
font_02_sfnt_off0001a32f.bin
65b5bb6d53668dd6861ef02d9f1854ef67ce18728d8bb25545aea71bee42c083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A32F 8040 bytes
font_03_sfnt_off0001b968.bin
2e30ba7a78950b64e27c3e9b74f83a2d097b8b0c6d1bedd796b6ee399ad00cfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B968 12604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.