Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4bcd0d72f4860f0…

MALICIOUS

PDF

92.5 KB Created: 2022-06-04 17:08:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: 6a9a95d2bdab487acfa583769f75fe40 SHA-1: 2759b3be83d1039d74f1c1c186e1143ab2c48607 SHA-256: b4bcd0d72f4860f06d449fc47c7c3771637782961d4457ba0c82bedd4966946c
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF contains embedded JavaScript and a significant number of external links, many pointing to Weebly-hosted PDFs, indicating a link farm or SEO manipulation tactic. The primary URL, 'https://lovig.co.za/YmrXLWy8?keyword=npv%20ti-84%20calculator%20free%20printable%20pdf', suggests a lure related to financial calculators. ClamAV detection and ML classification strongly indicate malicious intent, likely to distribute further content or malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lovig.co.za/YmrXLWy8?keyword=npv%20ti-84%20calculator%20free%20printable%20pdf
    • https://deduwanujajugu.weebly.com/uploads/1/4/1/5/141583828/momurejetevowivapo.pdf
    • https://tozikogok.weebly.com/uploads/1/3/5/3/135330875/tibafife-popesujur-rulesutufoweti.pdf
    • https://depobadibib.weebly.com/uploads/1/4/1/9/141962317/1195904.pdf
    • https://vusuxatowawa.weebly.com/uploads/1/4/1/5/141521333/38f11.pdf
    • http://geofer.eu/userfiles/files/xeloxitujevatojijijal.pdf
    • https://feltshoe.com/userfiles/file/96387960417.pdf
    • https://fefikajuroxubu.weebly.com/uploads/1/4/1/5/141599116/5994534.pdf
    • https://zefodikibaxamot.weebly.com/uploads/1/3/0/8/130814254/movavorobusabu-bogam.pdf
    • https://sensesgrouphk.com/louis/STARKGROUP/ckfinder/userfiles/files/kibifiwunimapebanamube.pdf
    • https://investkwik.com/userfiles/file/2307927465.pdf
    • https://nelixifejesuvol.weebly.com/uploads/1/3/1/4/131406681/bafuveroja_mewixuxixarezaz.pdf
    • https://muwevazed.weebly.com/uploads/1/3/1/0/131070925/47eeae1b5ce1ea1.pdf
    • https://geragiwapel.weebly.com/uploads/1/4/1/6/141673800/betukokolasa.pdf
    • http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/1624b8d15c47fa---89371055716.pdf
    • https://pepodefaposuv.weebly.com/uploads/1/3/5/9/135992330/1203656.pdf
    • https://zixavuxo.weebly.com/uploads/1/3/1/3/131398386/a4d0ac.pdf
    • https://babotiditufo.weebly.com/uploads/1/3/4/6/134694550/277d3a0a0.pdf
    • https://pixigakamorage.weebly.com/uploads/1/3/4/3/134351623/dc7eda848e878a.pdf
    • http://pflp-sy.org/assets/js/admin/ckeditor/kcfinder/upload/files/738843447.pdf
    • https://xogisepemilala.weebly.com/uploads/1/4/1/5/141564799/3925933.pdf
    • https://jukagejun.weebly.com/uploads/1/3/3/9/133999346/nutaxabelivilur-sixuv.pdf
    • https://xorozatu.weebly.com/uploads/1/3/4/4/134461248/rukibagunapoze-gijaxilujuwe-fofudafonomof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7f7.bin
adf38969d40f501586e0caf93d33991e243baeeecfe575c4831cdbf64b7044fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7F7 16336 bytes
font_01_sfnt_off0000fdf5.bin
0419e86b94506cce4517b70efe6822f7126b34c304ea2cd943136087eceb61ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDF5 19236 bytes
font_02_sfnt_off00013105.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13105 16792 bytes
font_03_sfnt_off0001491c.bin
fdd8c6b342884bba69849378a3916ad7ffe797f6b0b0d83b3f55a28cb9c8c786		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1491C 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.