Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9e0f9a7c42de8eb…

MALICIOUS

PDF

81.6 KB Created: 2021-03-15 09:05:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 498434a1234ab72d349bc6d80c289deb SHA-1: 71c33a50cc68880f6b82ba295a7e89c698758324 SHA-256: a9e0f9a7c42de8eb9131f47f49833b4086556ddad00a528e56a5bed968cef2d7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and a mass of external links, including one pointing to a URL that appears to be a search result for game hacks. This suggests the document is designed to trick users into clicking malicious links, likely leading to further compromise or phishing. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=guns+of+boom+hack+unlimited+money+and+gold
    • http://nebo-baikala.ru/7008625380y1mx.pdf
    • https://cdn.sqhk.co/vekuperik/hzijt7i/grumpy_cat_good_morning_images.pdf
    • http://sun-italy.space/acr_guidelines_for_gout_treatmentuyqg9.pdf
    • http://tuimag.ru/xidofetp07s.pdf
    • https://cdn.sqhk.co/nijusukelok/bihLjja/jijexilamo.pdf
    • https://cdn.sqhk.co/regavebike/hhhhcie/drag_racing_club_wars_apk_download.pdf
    • https://cdn.sqhk.co/butiluluvuk/ayBIOje/online_driving_professor_coupon_code.pdf
    • https://cdn.sqhk.co/buwuvibija/ih6mk6q/4197346917.pdf
    • https://cdn.sqhk.co/tuponapalab/gjghicR/chocolate_protein_shake_recipes_healthy.pdf
    • http://onlineeshop24.xyz/pubukepizvjln0.pdf
    • https://cdn.sqhk.co/durotula/ibPVheU/transferwise_phone_number_new_york.pdf
    • https://cdn.sqhk.co/kewawukufiju/hdhgOu8/76160948762.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1babbaa0-329d-4f82-8abe-6c5c1c2456f8/eating_attitudes_test_eat-26_en_espaol.pdf
    • https://s3.amazonaws.com/xupizewuxere/linked_list_quiz_questions_and_answers.pdf
    • https://77ac2d45-d533-4b4b-a85c-01e81860bff9.filesusr.com/ugd/7f1ad7_2180be999d234272952d6791962ab187.pdf?index=true
    • https://s3.amazonaws.com/fefurorobumi/chet_holmes_ultimate_sales_machine_summary.pdf
    • https://s3.amazonaws.com/zedilegol/ranunasevax.pdf
    • https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_108dc9d3dc8847c4acf952f2e639bce0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c9ef2c7a-04e8-4883-94e9-1503a4053b47/msi_geforce_gtx_970_gaming_4g_vs_gtx_1060_6gb.pdf
    • https://s3.amazonaws.com/kotenu/36363377925.pdf
    • https://s3.amazonaws.com/wekibik/15149602575.pdf
    • https://5e73d190-47a4-4ead-99bf-7e9069f06a16.filesusr.com/ugd/55cc32_05e9a4acb7a74ecb9518a944d0bf28da.pdf?index=true
    • https://uploads.strikinglycdn.com/files/38daf1b4-7fdc-422a-84ab-97aa01f8ef09/pegefeberarezutemu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f72c.bin
cf373f8eb364677dc8d29ae0cbe658a1b8665e9067f0cd69b3a2e84d4b370a53		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF72C 1872 bytes
font_01_sfnt_off00010020.bin
ab73262320f0def97bf1aa3b3e593ceb4dd2764724dfff6d0added1f2e891241		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10020 5676 bytes
font_02_sfnt_off00011358.bin
635e7a90b05cdd503e7ac561144e3f7cb6f91b4613a43d619ee79a43bd857521		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11358 10916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.