Malicious PDF — malware analysis report

Static analysis result for SHA-256 b862af38cf75ffd3…

MALICIOUS

PDF

77.9 KB Created: 2021-04-24 22:08:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 507f8f6a35c8b947eb3bb49ff05cc6e9 SHA-1: 152357f53a92327de633e0381fda8c9ca1391155 SHA-256: b862af38cf75ffd320e4900bf7ec2c2580686457f5db10a5e0fdcdd2946c43fe
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a phishing or scam document, with a critical finding for a link farm and a ML classifier flagging it as malicious. The embedded URL points to a suspicious domain, likely used to host malicious content or redirect users. While no scripts were explicitly extracted, the PDF structure and the presence of external links suggest an attempt to redirect users to a malicious site, potentially for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=dr+wellness+x3+hot+tub+reviews
    • http://resusawoka.iblogger.org/bootstrap_templates_free_w3schools.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1ee9f044-c418-4676-bdb6-f3846fada56d/54413395082.pdf
    • https://uploads.strikinglycdn.com/files/8b9e5e31-11b3-44ed-8def-2bfbdb828b4a/vinefuzafuno.pdf
    • https://s3.amazonaws.com/bidemewufa/vetunifupaveri.pdf
    • https://s3.amazonaws.com/magapeguwabe/86545358959.pdf
    • https://uploads.strikinglycdn.com/files/6d9c051e-283d-46bd-b25d-90d2030986a4/88463173602.pdf
    • https://d848e4b6-662b-4424-a759-963270729452.filesusr.com/ugd/30e015_da37a4e23aad4406b096fe9752a041b8.pdf?index=true
    • http://dowijasimenazo.epizy.com/97320447491.pdf
    • http://wupaxine.epizy.com/12401593356.pdf
    • https://4fd7ac12-06e8-439c-96a9-7636004ccb32.filesusr.com/ugd/9554ab_574f93d1a0294a12ad852e022098f75e.pdf?index=true
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_86dfb4d83fa1498b9b5e3f41e49e971d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d1582ed7-8592-4687-859d-34aa13ebe05b/is_astrological_compatibility_real.pdf
    • https://uploads.strikinglycdn.com/files/24c4c17b-2faf-4dbc-b3ec-a59415730ca4/rivop.pdf
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_f3de44a0088549229b269e2f77f89b0d.pdf?index=true
    • https://8a05da06-75fd-4b4b-8779-f7668a2fa4a0.filesusr.com/ugd/da32d9_82b8db856f9f4c4e81b47c90605aa7d6.pdf?index=true
    • https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_c68cf0fb54aa4701aa8092ce0c357f7e.pdf?index=true
    • https://s3.amazonaws.com/fefurorobumi/45148788638.pdf
    • https://29159626-56e2-4eb2-a8c1-eb081f451e44.filesusr.com/ugd/a58502_f479c9d8fb624cb18660e5d1dd385d41.pdf?index=true
    • https://uploads.strikinglycdn.com/files/10cd1aa4-2e3c-4053-95a5-d8f5a129e281/how_do_i_sync_my_logitech_m325_mouse.pdf
    • https://8d275f60-8e36-4e70-8574-b6d542a617c4.filesusr.com/ugd/dbf6c2_321fa3bd7ee4428db35d7a905015197b.pdf?index=true
    • https://ac911ccd-a574-46a9-bbb3-57bb927ff796.filesusr.com/ugd/2735c9_0e6fa790fe374d93b27bbf8d232f0b6e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/239523f5-e701-429e-8b39-7a78a907433b/how_to_replace_air_filter_in_bryant_furnace.pdf
    • https://c4bedd8b-a3e9-4aa8-9751-a6fde4035b7e.filesusr.com/ugd/037f08_c4f29db929d44c908822fced01001f21.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f311.bin
9c6fcc65851998aae03cd9a629aac64fca2268502c12aff1a421e50f2f35704f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF311 5084 bytes
font_01_sfnt_off00010479.bin
6795e5aace75d58c86ca4eee3b01cf002e42106f1c09d2b9f5ed9c3c6bef06ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10479 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.