Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6c9ab7f625078ed…

MALICIOUS

PDF

89.7 KB Created: 2021-09-19 08:55:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 4e754b6a72d29c4b98e551b959c31df9 SHA-1: d09b00879ed695815dd66f0afe19ab8915bb3554 SHA-256: a6c9ab7f625078edf134c9049403a670d75360950ae1fae27c96baa69713a744
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains embedded JavaScript and is flagged by ML classifiers as malicious. The heuristic 'SE_FAKE_CAPTCHA' indicates the document presents a fake CAPTCHA or human verification prompt to deceive the user. This suggests the document's primary purpose is to lure the user into executing a malicious action, likely to download and run a second-stage payload from one of the numerous embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tincorner.vn/uploads/files/nawozawo.pdf
    • http://park-seversk.ru/other/js/ckfinder/userfiles/files/godajodulavu.pdf
    • http://tivatijapan.com/uploads/userfiles/file/74598006485.pdf
    • https://geya99.com/ckfinder/userfiles/files/41788353175.pdf
    • https://millinerandassoc.com/files/file/10760987505.pdf
    • http://magooferta.pl/uploads/fck/file/81635828386.pdf
    • http://pi-consulting.ch/download/29317596262.pdf
    • http://gamboeng.com/assets/ckfinder/userfiles/files/xivadodajujifap.pdf
    • https://www.unicodesystems.com/wp-content/plugins/super-forms/uploads/php/files/7hja5c36lfpfnannaqtoetm190/logevarisifose.pdf
    • https://jbdclothiers.net/emailer/userfiles/file/fukovowawoko.pdf
    • https://czus-lukasa.sk/userfiles/file/3799125423.pdf
    • http://planet-for-events.de/userfiles/file/kezonafasaporozuxoduse.pdf
    • http://lienming-rubber.com/uploads/files/202109030631222719.pdf
    • https://hinodecoder.com/userfiles/file/70882214527.pdf
    • http://goldcoil.com/uploadfiles/files/koxezoxaj.pdf
    • https://sofahatinh.com/upload/files/jodosasovujura.pdf
    • http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613eef9646d4a---kelotunukulejuw.pdf
    • https://brahmagnanam.org/fck_uploads/file/25316811045.pdf
    • http://52963566.com/upload/file/202109020321510496.pdf
    • http://sunpix.ru/img/lib/file/fipakomesurugajilo.pdf
    • https://clubberia.com/js/ckfinder/userfiles/files/rifevanigegoz.pdf
    • https://kaptenhoki.net/contents/files/napoloposu.pdf
    • https://superlitefan.com/uploads/files/xenunesotunevetozejake.pdf
    • http://ilksolar.com/Images/Media/files/wunoga.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=fortnite+xbox+free+skin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1c1.bin
d61ebb12e1ef7566e3b9baba8396eed67efdefdf3015cb95adb003da9f4ffea3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1C1 20968 bytes
font_01_sfnt_off000129fa.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129FA 16792 bytes
font_02_sfnt_off00014211.bin
acc54ca8e699cea58c151fe99a0e65e7623020064ca5167293039b12a696d48f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14211 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.