Malicious PDF — malware analysis report

Static analysis result for SHA-256 a61492d5c675db4a…

MALICIOUS

PDF

145.9 KB Created: 2021-03-30 23:17:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec1626f0f30fa5ea8b77b24998ef418b SHA-1: bcb14e0fce7da74cdeeadd3123016ab6a8fae5fb SHA-256: a61492d5c675db4ab83ff349f860332bf3452ad7ac0230bf91dd21ca40e417f6
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to other PDFs, suggesting a link farm or SEO poisoning attempt. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may be a precursor to a password-protected archive, a common tactic to bypass gateway scanning.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=reglamento+local+de+las+asambleas+de+dios+en+mexico+pdf
    • https://tapotupuj.weebly.com/uploads/1/3/4/8/134866757/a9da243406f6179.pdf
    • https://cdn.sqhk.co/kivipemo/CBzRJjj/4831920716.pdf
    • https://cdn.sqhk.co/puvegipuros/jdwhbqT/29389823649.pdf
    • https://fajizaxaro.weebly.com/uploads/1/3/1/3/131381717/ketamuruta-jabejamax.pdf
    • https://nutomejeti.weebly.com/uploads/1/3/4/7/134702699/e3cc0.pdf
    • https://zomimodobi.weebly.com/uploads/1/3/0/7/130739583/051dbd7a4c34d.pdf
    • https://cdn.sqhk.co/vodadavubex/9iDbp5e/61467883363.pdf
    • https://wexopusipomela.weebly.com/uploads/1/3/5/3/135313487/3b062.pdf
    • https://cdn.sqhk.co/lewulula/VwQmrgj/buzijodedatavavesemebize.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d0fd22f1-78bd-4368-960d-2a324028b2bb.filesusr.com/ugd/a4d998_843666d1a7d540509a7372c9d0a21599.pdf?index=true
    • https://000bb656-a8cb-4e8b-9327-0b0ec99f56fe.filesusr.com/ugd/3f812e_712fc74c6af646d3871a80057a042225.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cfa95656-4e35-485e-903a-c0ccd091db94/28164309682.pdf
    • https://fe2b84af-b373-48e0-a714-f820169e3fe9.filesusr.com/ugd/ed1d2e_a773ae6367df4f65a1832775b0849a66.pdf?index=true
    • https://uploads.strikinglycdn.com/files/212255b1-b2a1-486c-8dcb-87bfd22c5aff/89291039817.pdf
    • https://uploads.strikinglycdn.com/files/25ad1680-31b5-4cf7-b5a7-06a47eaa0aa3/89673805345.pdf
    • https://aabf49e0-5477-4fd2-8456-a986ef8f2a87.filesusr.com/ugd/9e14ca_aaffb4637fa943b9b07642385fdfad0d.pdf?index=true
    • https://891dfe3a-8969-4df2-b253-5ccc4ebbb7a0.filesusr.com/ugd/e66789_f83f45b9edcf426aa79d68e6bf0d86b5.pdf?index=true
    • https://bc881323-2374-4635-a2b7-f126f9929bd8.filesusr.com/ugd/546a35_fa996c66304748449b544a85de2a58ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9be6e967-deb8-4919-9403-f761f3302c87/janigujelulilipisimuz.pdf
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_993e219bf5d9424aa900b8a0975ba14f.pdf?index=true
    • https://12f7643e-9106-4823-89c2-0bdaecd1bc22.filesusr.com/ugd/1f6d71_f8f2f19d0124470da9408171cf14b1d8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001f828.bin
d4d26b6f0fefe06e736f71574d5fedb63807edf25a36f389df5a57d3e578503d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F828 5592 bytes
font_01_sfnt_off00020b36.bin
b3e233abeb7048e670b8c2342c03b7649cc5c98fdbe9369ae956127f372e1e95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20B36 16888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.