Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba9b2cec2ac7c836…

MALICIOUS

PDF

72.0 KB Created: 2021-03-10 11:07:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7ddb3337ec48455be1def45e3d5774b SHA-1: ee5da2f9049d8433499d9a8a67c9a9b8bef664ae SHA-256: ba9b2cec2ac7c836086d23eccb8f34ceab9ac41a0357fd7be6239fce0f072aeb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. Although no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a phishing or malware distribution vector, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=graham+crackers+nutrition+guide
    • http://meetcabinets.xyz/gujazasureguff597.pdf
    • http://nomudepalak.medianewsonline.com/4626014852.pdf
    • http://bbflowers.net/26070952406vjysb.pdf
    • http://topsalon.xyz/proshop_led_par_64_manualr6nq7.pdf
    • http://netewe9.xyz/how_to_connect_samsung_xpress_c460fw_to_wifib9a6c.pdf
    • http://deromgroup.com/what_is_the_average_words_per_minute_typing_speedjtge1.pdf
    • http://soldonlakewood.com/59003819023pp9r9.pdf
    • http://ridovise.sportsontheweb.net/articulos_de_la_constitucion_mexicana_que_hablan_de_la_familia.pdf
    • http://lnstagaram-verifiedbadges-from.com/dipiguxedimivusurmdj2k.pdf
    • http://propovar.ru/499375000317urdc.pdf
    • http://centerverifybadge.com/18511983691argz1.pdf
    • http://sk-anker.ru/gupezokarit94j8.pdf
    • http://service-hire.com/dimepitigoxazibirigeb4hj3.pdf
    • http://omynutural.space/budopagewefimy6sll.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e5baaea7-7007-41de-9367-4ebf3ed55875.filesusr.com/ugd/8e1900_08f9379957a045ed9492a576159448ad.pdf?index=true
    • https://054d5c26-596f-48a3-87a7-0fc79031e5db.filesusr.com/ugd/599026_26c4df428fbf435383389091a71f46ea.pdf?index=true
    • https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_84f2e97c3cf245bcb5cf0a5a3dc2f6b9.pdf?index=true
    • https://ce2645ba-e89a-43d5-afff-5c0150757291.filesusr.com/ugd/c63dba_1297e3505ed9439abf5483819ff62b4c.pdf?index=true
    • https://21a67f6d-2aea-439f-a910-ed4feb6be009.filesusr.com/ugd/173616_68163638b329479286ea188c4866e000.pdf?index=true
    • https://26f2e344-8444-46ea-90c9-5a893bcc2fb3.filesusr.com/ugd/b8c837_f392791688194a1caff33f16f741ef6d.pdf?index=true
    • https://de2a8dfc-dc8d-4d62-be3b-f97abdd17bf6.filesusr.com/ugd/c722c2_25cd2798fd204bd09f65ffd992d0e401.pdf?index=true
    • https://6f4861c6-cdf0-4a5f-ba2d-f9c5e5bfbee6.filesusr.com/ugd/77941b_4dad0031a3354f34b6f4a5573fbb73b4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db1c.bin
6249be01f09b3e2b3067595a1a137423a8d05a682fb8347139ff8b25a06a9ec0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB1C 5416 bytes
font_01_sfnt_off0000ed5c.bin
4949e66af69cef6e1b265f08d0d1cf61e2e60d90519bcab968f99a844ea9d2e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED5C 11316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.