Malicious PDF — malware analysis report

Static analysis result for SHA-256 afdb558ce13fe3bd…

MALICIOUS

PDF

76.3 KB Created: 2021-03-28 09:01:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68348b6c3ce2b07c2fc009134dc8c176 SHA-1: 6048c3f97d5c6c73aa0cc2a88df8637efec0fb6d SHA-256: afdb558ce13fe3bd256c68e97c04dadd337a7bc6652622d793c2f0a0630feb85
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, indicated by the presence of numerous external links and a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. The document's content, though partially corrupted, suggests a pretext related to a 'Reporte datacredito colombia por cedula'. The ClamAV detection and ML classifier further support its malicious nature, likely serving as a distribution point for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=reporte+datacredito+colombia+por+cedula
    • http://presente-top.store/cartoon_movies_website2o1iv.pdf
    • http://zudalipa.22web.org/free_mobile_phone_repair_course.pdf
    • http://vinnipoh.space/46374114539wi3w.pdf
    • http://fesupopimos.66ghz.com/41741212155.pdf
    • http://sogikujuwawim.22web.org/overtime_format_nfl.pdf
    • http://memaviwebepa.22web.org/vovukoposotazomatu.pdf
    • http://akmurzina.com/the_blue_book_of_grammar_and_punctuation_free_downloade7jvw.pdf
    • http://twirlini.com/vefifekamepasegem39zcv.pdf
    • http://xavanafaworinev.iblogger.org/63167298750.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lumipanu.epizy.com/15218121321.pdf
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_859b2987f6e24980b110ce348544330d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8ebeb5f6-972a-41a5-b674-9dd9d4e21880/71700343184.pdf
    • https://uploads.strikinglycdn.com/files/70fc9b22-5de9-43d1-95aa-9e9ef94599ce/91741738833.pdf
    • https://945b3f91-9c76-4178-be32-f0dab3cfe2c6.filesusr.com/ugd/8d5d69_0824904d32a04421b97efe87608f4eb4.pdf?index=true
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_67ec23a3f25b40a4b2ea654198733439.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cf343924-560f-49bc-a7b3-bed902104ca8/ranger_3.0_towing_capacity.pdf
    • http://wowisosanazo.rf.gd/beechcraft_baron_58_maintenance_manual.pdf
    • https://uploads.strikinglycdn.com/files/9a2f4fbc-b613-4bac-9c11-f556f3f2b73f/jijuwutidosete.pdf
    • https://uploads.strikinglycdn.com/files/5bd22d03-32ae-42d0-81d4-5997c8a7f90e/vosevibezipile.pdf
    • https://4a39c6c9-989b-4d11-b2d8-cc0becc7f193.filesusr.com/ugd/ef0078_6c0823f9d56d40099216f2ada1dad6af.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6c2ce50-d386-4007-8501-fc2d4dde4dd8/93890623063.pdf
    • http://vuzosade.epizy.com/asp.net_mvc_or_asp.net_core_mvc.pdf
    • https://uploads.strikinglycdn.com/files/672f2217-2811-4790-9dbb-ba9e2854b902/carol_of_the_bells_advanced_piano_sheet_music_free.pdf
    • https://336ddc11-c37d-4cd6-9685-7accad2975f7.filesusr.com/ugd/479fa9_db5312104e1546499b38ffc5e1b259d4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/05bd6502-ca0c-487a-87c6-ba63d92c23c6/virginia_woolf_poetry_quotes.pdf
    • http://jiporiri.rf.gd/counterparty_credit_risk_wiley.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eab6.bin
e1cbdc84da3c4f311dda3c8550711ca2dcd60796fc874cd1c44106c9122b0fef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB6 5188 bytes
font_01_sfnt_off0000fc47.bin
616867f3b8af5f89cf4ce7c917076b3ac13fef68865a68c5053147f659812ae7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC47 11536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.