Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8b82139f6b3aaf6…

MALICIOUS

PDF

72.6 KB Created: 2021-06-05 05:50:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f82bd5de1c4917e6dc638a8c7edf4b77 SHA-1: 6d6028dc17d1e1bb8c5447b4b127dddab6dede9c SHA-256: a8b82139f6b3aaf65905e401869f800383c6d86dc192ff9002894e2806c0b665
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a technique often used in link farms to manipulate search engine rankings or to host malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and the presence of external links suggest it's designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/pbw?utm_term=free+letter+recognition+worksheets+for+kindergarten
    • https://zetizisoxaw.weebly.com/uploads/1/3/4/4/134498522/759362.pdf
    • https://jumobagovuv.weebly.com/uploads/1/3/4/6/134697352/jalilabezexigorigu.pdf
    • https://mewodufupojapoz.weebly.com/uploads/1/3/1/8/131857890/fukigulat.pdf
    • https://soxodoma.weebly.com/uploads/1/3/4/6/134695887/waxipemivefuzikim.pdf
    • https://rozinezo.weebly.com/uploads/1/3/1/6/131636990/485bf011dbd09.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xalomuzavege.pbworks.com/f/which_greek_god_is_the_most_powerful.pdf
    • https://uploads.strikinglycdn.com/files/b298b4ad-091c-4fa7-ba87-7f4898eab072/how_to_clean_cuisinart_keurig_coffee_maker.pdf
    • https://uploads.strikinglycdn.com/files/6b318cb1-15fa-4d66-8ab2-9df795b5cbcf/what_is_the_process_of_breathing_called.pdf
    • https://uploads.strikinglycdn.com/files/36d7152a-154b-47b5-a5ac-7eaf9bbf6529/25232383568.pdf
    • https://uploads.strikinglycdn.com/files/29063532-f88f-4a82-a232-ea7aea530bf3/225757333.pdf
    • https://uploads.strikinglycdn.com/files/c5bcc968-d2e3-4aed-b134-859a5e6dd059/380868144.pdf
    • https://uploads.strikinglycdn.com/files/96ed0a55-259b-4d69-a8b5-aeba65df5734/how_to_calculate_length_width_and_height_from_square_feet.pdf
    • https://uploads.strikinglycdn.com/files/39c3d6cc-b787-4db1-a8e6-c22bb6dba71c/el_general_naranjo_temporada_3_descargar.pdf
    • http://mikabipi.pbworks.com/f/thuppakki_full_movie_hd_1080p_free_download_telugu.pdf
    • https://uploads.strikinglycdn.com/files/386ea9df-30c7-442d-b8a9-ee6ad520546f/23069381564.pdf
    • https://uploads.strikinglycdn.com/files/8513505f-4d9b-4de2-a331-ced043ef07d7/2200298425.pdf
    • http://nunaruribeg.pbworks.com/f/87953991356.pdf
    • https://uploads.strikinglycdn.com/files/ee1261b0-cc30-4da4-aa2a-e34544400f00/48542710755.pdf
    • http://fevawigo.pbworks.com/w/file/fetch/144420627/pitch_perfect_2_full_movie_free_download_for_mobile.pdf
    • https://uploads.strikinglycdn.com/files/b437937f-6ed4-4843-ad6a-b2d844bca920/42817488451.pdf
    • http://zolunegoli.pbworks.com/w/file/fetch/144633777/mesitogezotaniwufaban.pdf
    • https://uploads.strikinglycdn.com/files/ad7baec4-6a00-4ccd-91d7-4f9a7a7b2a65/japojera.pdf
    • https://uploads.strikinglycdn.com/files/c90264af-d7e3-4070-ad64-2922fa76effa/mgma_physician_compensation_2019.pdf
    • https://uploads.strikinglycdn.com/files/f6670737-f439-46af-b5e3-f3d1cccc1676/26801333321.pdf
    • https://uploads.strikinglycdn.com/files/a9f864af-6179-481a-9426-465960bf7f24/evenflo_convertible_car_seat_purple.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dccf.bin
e7573f9ad3fc707a544d6a7938e5388330bef021083a03d75668a14ec48f8a07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCCF 5392 bytes
font_01_sfnt_off0000ef3a.bin
b524839e33a82873914f5b4d6fac6736ea5fd52044e5ad8da016279d08817083		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF3A 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.