Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6a5962f8339b641…

MALICIOUS

PDF

75.9 KB Created: 2021-03-22 23:24:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9bbe9c5c6c8f7810e2c7aab19e5de7fa SHA-1: 23e0d7d042fe3825445add5e28a8e60a12fc735d SHA-256: b6a5962f8339b64197a5bc20f3b9a1fc348f10491bbf36aa7a2642bfc84f2f1b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to SEO-optimized PDF files, suggesting a link farm or phishing campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links are consistent with techniques used to redirect users to malicious sites, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=manual+iphone+3g+espa%25C3%25B1ol+pdf
    • https://pedumukelogo.weebly.com/uploads/1/3/0/9/130969284/d1f9056bad.pdf
    • https://jawufilarom.weebly.com/uploads/1/3/6/0/136054640/vevelekowaruj-nifur-pokedifuwa.pdf
    • https://gabubogoko.weebly.com/uploads/1/3/3/9/133997439/judabok_pezasenogaj.pdf
    • https://cdn.sqhk.co/ketadasogob/iajievx/era_sospetto_in_inglese.pdf
    • https://toguxoboribad.weebly.com/uploads/1/3/4/8/134876345/e63648879294f.pdf
    • https://zaximasuxudaris.weebly.com/uploads/1/3/4/5/134590642/9642607.pdf
    • http://gidilakapajuke.mywebcommunity.org/83779192680.pdf
    • http://wogivodugakovek.mygamesonline.org/telecharger_cours_atomistique.pdf
    • http://mevukavotidu.getenjoyment.net/20387171840.pdf
    • http://suxoxaxowigab.scienceontheweb.net/what_is_a_certificate_of_creditable_coverage_letter.pdf
    • https://cdn.sqhk.co/segenapiza/dVi3jgZ/lerokaviwezokis.pdf
    • https://cdn.sqhk.co/voxobidivel/hbnihic/what_is_religionless_christianity.pdf
    • https://pefikasulanak.weebly.com/uploads/1/3/4/3/134350375/1764e8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fdf31a0e-653a-49d8-9a7f-1fb475756ea4/can_you_take_english_101_online.pdf
    • http://womawujun.atwebpages.com/64849045859.pdf
    • https://uploads.strikinglycdn.com/files/114c7591-c32e-48d3-8491-1bb862530d52/15442763119.pdf
    • https://uploads.strikinglycdn.com/files/65d57a19-7999-4776-be7c-f87d50c458a5/4375508228.pdf
    • http://wegugoleta.onlinewebshop.net/harry_potter_characters_and_their_hogwarts_houses.pdf
    • https://uploads.strikinglycdn.com/files/b53a8332-9e9c-40b7-81ca-5fa1c87ecbab/michael_vey_the_prisoner_of_cell_25_audiobook_free.pdf
    • http://nozozuwovore.atwebpages.com/the_veil_removed_scripture.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8e7.bin
e12166a7ac46cd0a36441130d5242323b069853b614266578bb195df10a99ace		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8E7 5588 bytes
font_01_sfnt_off0000fbb4.bin
d39db313a9c69e5cec45d848cefb41c614ee1f0c4977b920c90c1df9af1a6f60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBB4 11408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.