Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb75358f92d18eb8…

MALICIOUS

PDF

86.3 KB Created: 2021-04-02 10:31:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a17e6803026eba8e621291579903831 SHA-1: 5cd7ee2c1f2cdbc4304ae61ca5d6c192e902918f SHA-256: bb75358f92d18eb8ff14568a994973c6b5d0ddd8a326b264a5f0c72d40cccd41
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF document contains a link that directs users to download a 'python programming app for android'. This is a social engineering tactic to trick users into downloading potentially malicious software. The presence of external links and the ML classifier flagging it as malicious strongly suggest a phishing or malware distribution attempt. The ClamAV detection further confirms its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=python+programming+app+for+android+download
    • https://bovebonidufos.weebly.com/uploads/1/3/1/4/131483372/xopujevedebuta.pdf
    • http://dressnbuy.com/is_taco_bell_power_bowl_keto_friendly20mld.pdf
    • https://static.s123-cdn-static.com/uploads/4407777/normal_5fc7469c51d75.pdf
    • https://cdn-cms.f-static.net/uploads/4453117/normal_6039ed3552deb.pdf
    • https://vukosigubew.weebly.com/uploads/1/3/4/8/134860762/mufupajedifajoz_negufifike_tuvevexulinuxar_dafozikasoro.pdf
    • https://cdn-cms.f-static.net/uploads/4411250/normal_60351eddebf31.pdf
    • http://form-lnstagramverificationbadge.com/traduccion_de_espaol_a_ingles_con_audio72icu.pdf
    • https://simidolipuxemit.weebly.com/uploads/1/3/4/4/134486986/nirumibeka.pdf
    • http://milanomoda-italy.site/fivisafemanaxinexogumut0dpo3.pdf
    • http://airned.ru/28424258264hyk78.pdf
    • http://bitjoms.xyz/680568709957ncyk.pdf
    • https://wigazasadus.weebly.com/uploads/1/3/5/9/135974004/danidizo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2edf92d7-a8a3-4b12-b852-a7b514914f95/gaguputaxunupobisedowofed.pdf
    • https://s3.amazonaws.com/fuwawibu/application_letter_example_for_students.pdf
    • https://s3.amazonaws.com/faxaxos/child_custody_agreement_template_australia.pdf
    • https://s3.amazonaws.com/juvuraguvutoxif/20910642779.pdf
    • https://s3.amazonaws.com/gewuwasi/blotter_app_for_android.pdf
    • https://s3.amazonaws.com/desenaz/bihar_anganwadi_sahayika_online_form_2019.pdf
    • https://uploads.strikinglycdn.com/files/7b5c37e1-d510-4b09-86f7-352eb7fc9e8e/zegobe.pdf
    • https://s3.amazonaws.com/difigomisosak/fonedafibogamu.pdf
    • https://uploads.strikinglycdn.com/files/5db1f1db-f713-46ba-ac6c-105142f7a5d5/85635632862.pdf
    • https://s3.amazonaws.com/viwoxuz/ebcdic_full_form_in_computer.pdf
    • https://s3.amazonaws.com/xedewofuretujo/2619471801.pdf
    • https://uploads.strikinglycdn.com/files/49cdfbf1-394a-4983-889f-7ea3b9f343dd/how_to_compress_jpeg_file_size_in_mac.pdf
    • https://uploads.strikinglycdn.com/files/ec395d48-384a-4a16-bc83-23705dae8622/9006629098.pdf
    • https://s3.amazonaws.com/kudufigunabi/cat_in_the_hat_book_summary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001025a.bin
a71974d210c08661a503c6169ecde5aafc847a406c0df5d38a7c489deb28062d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1025A 5472 bytes
font_01_sfnt_off000114ed.bin
00eaf5f94f31341fe6bc261b4e5abcbdfe05bfce51fb709b6276ba8299fed9e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114ED 22584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.