Malicious PDF — malware analysis report

Static analysis result for SHA-256 a62f64819954df8c…

MALICIOUS

PDF

75.4 KB Created: 2021-03-22 19:04:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a026ff910b8799d90c680ab42daba52a SHA-1: 5cd321e24a259bd9fe982d3b5aa89845de8d7ff3 SHA-256: a62f64819954df8c31747a08c37e85a4caa432862c1dd1103f5debea136cea1d
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains heuristics indicating it is a phishing lure, specifically prompting the user to install a browser extension. It also contains numerous external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=diep.io+hack+chrome+extension
    • https://zujususo.weebly.com/uploads/1/3/4/6/134615591/sipezibuzu.pdf
    • https://xokefinodoju.weebly.com/uploads/1/3/5/3/135316617/zegogepeparovo.pdf
    • http://volosaty100.xyz/mewovetimuvuwevaje005ax.pdf
    • http://znakomstva18x.site/miwoxtdlz4.pdf
    • https://cdn.sqhk.co/pinepopowig/hhg34gg/27299632087.pdf
    • https://cdn.sqhk.co/mapexovebo/gXjb1ii/bivesikawogu.pdf
    • https://cdn.sqhk.co/vazoguzo/idghQge/piggy_call_mod_granny_prank_dial.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/dca61b2d-cbd6-448a-a461-b0bbf6fb6c67/50503959562.pdf
    • https://74a5c9af-61bb-4d76-9351-4d02c0bf652a.filesusr.com/ugd/e33828_8bf0614c0b55481d8c7cef2776338659.pdf?index=true
    • https://18cceff7-6d50-42ec-9d85-67184b61345e.filesusr.com/ugd/8c2e83_39b125713474438ab337cde341c544ae.pdf?index=true
    • https://8b62b971-d575-4461-ae89-9de7a2afac08.filesusr.com/ugd/c5a911_f6b7a4db6a24413e83431c8d28f3e7c9.pdf?index=true
    • https://47c0d0ed-94e3-447f-940a-e265262d053f.filesusr.com/ugd/a43ec6_57f511851b744585978d1fcbb70d36bc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/56e6f4c8-cc44-4214-857e-35b1f770e916/barcelona_pavilion_plan_with_dimensions.pdf
    • https://uploads.strikinglycdn.com/files/05db1509-318b-4b89-87d1-71a7c04a878d/vimifuvuxugam.pdf
    • https://uploads.strikinglycdn.com/files/d24ae826-9787-4e12-8482-1ca027efe60f/fobemiwisofibenexoge.pdf
    • https://uploads.strikinglycdn.com/files/8f4f5d57-912e-407f-b83c-ad0c734cbbd6/how_to_change_ink_cartridge_epson_xp_205.pdf
    • https://e082cb0d-9c22-4a21-acb7-e2c6127a51d3.filesusr.com/ugd/ff0c06_a4d27c710815459c9fb4faf086153867.pdf?index=true
    • https://1138278f-e8d0-45ef-aef3-dbdd7428ac52.filesusr.com/ugd/5be868_9529a4f0274c4992ae93c4e8fad01b4d.pdf?index=true
    • https://ff743420-c5e2-4527-a456-70ddb2a1abd8.filesusr.com/ugd/5178f2_1c7254ab9fbc489f93980713b61d76fa.pdf?index=true
    • https://71fc3d66-43b2-4ae0-adc3-dfbcdf8b5360.filesusr.com/ugd/6605a0_6ba89b638869496ead546e9960fa8d7e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8c3.bin
c4cb1a49f9b1fd34a178cdfdd79520a7831d0ae660b81920f2d4ba3fbee3c069		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C3 5304 bytes
font_01_sfnt_off0000fab1.bin
1cea4da8635f7090200afe2416ce3a2546c2fd70f7c36e8175c5979102b1b6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAB1 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.