Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6a8386b75fd13f1…

MALICIOUS

PDF

84.1 KB Created: 2021-03-30 09:20:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae4ba343212c3641323ead177b160beb SHA-1: 80f41434510f96e2093d4cac4f3fa1393727d883 SHA-256: a6a8386b75fd13f19153d521e06f5b4ae21d3c9f0d8b5cb80e78e682e3550b0a
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious intent, including PDF_SEO_LINK_FARM and PDF_SUSPICIOUS_LINK_LURE, pointing to suspicious domains. The ML classifier and ClamAV also flagged this file as malicious. The embedded URLs suggest an attempt to redirect users to potentially harmful sites, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=tropico+de+cancer+mapa
    • http://jijuduli.mywebcommunity.org/what_is_baseline_survey.pdf
    • http://tacfitproducts.com/84778450093bku5z.pdf
    • http://cybety.xyz/fotidovitanusilag676u.pdf
    • http://com-login8.xyz/709917273017og2d.pdf
    • http://nanonewe.scienceontheweb.net/wagner_paint_sprayer_manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nevovumowa/mathematical_physics_lecture_notes.pdf
    • https://s3.amazonaws.com/mulerux/samsung_scx_4623f_driver_free_download.pdf
    • https://945b3f91-9c76-4178-be32-f0dab3cfe2c6.filesusr.com/ugd/8d5d69_684f76e7fda7411b8ebc31fe10abd603.pdf?index=true
    • https://86a6be6f-1c3f-48a2-98e5-8a654ddc1212.filesusr.com/ugd/027f51_249ac46905bd4b68b54112a12d6ad969.pdf?index=true
    • http://revudipepofaten.myartsonline.com/mimejoravolifarisuren.pdf
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_5bede74a7f8744c0b78488c2faa8b758.pdf?index=true
    • http://ropupifalapoges.atwebpages.com/47370526224.pdf
    • http://sanugifop.atwebpages.com/mh_cet_2020_result.pdf
    • https://d21da297-2d1c-4020-882f-059d99c29dc9.filesusr.com/ugd/3724a2_7b5181e63d304ad1ad25476167c9f5c4.pdf?index=true
    • https://3fb740b9-71d8-4183-8edb-de11b68c0a29.filesusr.com/ugd/1fbf8b_2bf653c418b1475d99029014cc075ac9.pdf?index=true
    • https://s3.amazonaws.com/nevovumowa/mobile_attendance_system_project_in_android_github.pdf
    • https://s3.amazonaws.com/jedobufudajewu/3087902057.pdf
    • https://s3.amazonaws.com/xovekolamoxe/55325307894.pdf
    • https://s3.amazonaws.com/bulujono/zunufuwotixizebolanam.pdf
    • https://s3.amazonaws.com/tigewibejageju/heart_of_darkness_free.pdf
    • https://s3.amazonaws.com/zaxawetawupo/joserebeputizozo.pdf
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_388207f7eb074845b79cbeb888d923e0.pdf?index=true
    • https://661c91a2-68a2-4ae3-aaac-ef96b6cc7894.filesusr.com/ugd/b926a8_9cd33c25f3c741d58c8e4fa7e27559f0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef30.bin
32ffc02bce5a3f1b1f2ac4d52c4164a3dff7dc42ffcb7f356e9e0899ba14fb5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF30 4960 bytes
font_01_sfnt_off0000fff7.bin
c41fa7339b98b8d469f4b29f373b94d0bf72b9902e237a182caac28d752806d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFF7 14588 bytes
font_02_sfnt_off00012c98.bin
713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C98 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.