Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba7f16e5c5321b41…

MALICIOUS

PDF

73.5 KB Created: 2021-03-27 21:50:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ce358f67dbdc8500089cd612cb85dea1 SHA-1: 4aef50deb4c3c3a571b8cfac05b377df4d847a20 SHA-256: ba7f16e5c5321b4118a5c7c0222b22dee01e372e5353f311638aa5895d99e9d6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL suggesting a job-related lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or a scam. While no scripts were explicitly extracted, the PDF structure and embedded links are consistent with techniques used to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=cognizant+programmer+analyst+resume
    • http://whalesqpa.fun/how_to_teach_time_management_to_college_studentsdhoau.pdf
    • https://cdn-cms.f-static.net/uploads/4490133/normal_5fe87e3ef236b.pdf
    • https://risidetumul.weebly.com/uploads/1/3/4/3/134320066/mewede.pdf
    • http://biolinkus.me/lenovo_t430_lan_drivers_windows_7_64_bitfhrlg.pdf
    • https://dobopekajami.weebly.com/uploads/1/3/4/3/134314215/gipanapujiki-zurewo.pdf
    • http://viewcreditscore.info/why_wont_my_howard_miller_clock_chime7489r.pdf
    • https://cdn-cms.f-static.net/uploads/4445130/normal_6011fdf443650.pdf
    • https://cdn-cms.f-static.net/uploads/4378393/normal_604f37a08c6d9.pdf
    • https://cdn-cms.f-static.net/uploads/4373304/normal_6025341c55dea.pdf
    • https://wapofaxuza.weebly.com/uploads/1/3/5/9/135992917/gogunodujaga.pdf
    • http://lnstagramverifiedsbadgeform.com/fawigimalovusoruguxa0opv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e5eb5b25-b33c-43e3-82d5-57ab1bf863d8.filesusr.com/ugd/b0c717_23848f1e54b049368e3fb889ebfb86b0.pdf?index=true
    • https://55d63786-14d6-44de-84d0-33f1fb383c44.filesusr.com/ugd/45fd81_60ea4a54fcd0410381cc1a443f8d53f6.pdf?index=true
    • https://4cf6c2b4-cd84-4b73-83b1-bf7f441162b2.filesusr.com/ugd/e50c99_d788dacee3424eb5a342b6046370775d.pdf?index=true
    • https://14535e1a-360a-4d01-a655-fa33e115c80e.filesusr.com/ugd/b222ea_86b2d31330c4453da0b75d5484e6ad62.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a1a6ea9f-765a-4e81-973e-6ad5bdcd09c9/project_x_extended_cut_watch_online.pdf
    • https://951e66c5-660f-4748-bfcc-a6cc0831133d.filesusr.com/ugd/4967bb_2258f5f7da0544beab7a9a4fa3b3a763.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9ad1ca50-6df1-4ea3-b228-be50476a50b3/58558254116.pdf
    • https://uploads.strikinglycdn.com/files/badf255d-6b8b-4247-a6ed-b9b9f988bf12/dodoxilusivije.pdf
    • https://uploads.strikinglycdn.com/files/bab16077-0711-40b1-bb1f-ee3e08018c8e/82868468946.pdf
    • https://c0771fee-1ba5-4dbf-bba5-a775c3d44c03.filesusr.com/ugd/544e7e_0a17410260fb48df82b37ec0024e85d5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1dd6448a-c2e1-4709-b1c4-4b603d6fb92d/last_of_the_mohicans_cast_today.pdf
    • https://fab88ded-2f12-46c9-b6ec-f290036286cc.filesusr.com/ugd/cce69c_1bede4cdfd7d4beab049d2f711dd99b8.pdf?index=true
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_027a9c0f77ad4d2f8e8966a02adc6185.pdf?index=true
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_ceaa639ac12f4e72bb348084eb32af5b.pdf?index=true
    • https://35b1a599-9f45-4897-82ce-59a931fc5495.filesusr.com/ugd/daca0d_baed683692374b67896a0e60f6463f89.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce27.bin
540ddc6794345c25cd38978acb3517574d6ec9400e7d0cda906ce4025b9edcd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE27 5196 bytes
font_01_sfnt_off0000dfd1.bin
d5a3f396c8ae18d7cd27269ce5e2c35a8067d7745cbe40964d778cc1cc7ba4db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFD1 10220 bytes
font_02_sfnt_off000102eb.bin
6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102EB 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.