Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcf1b2cca3a85fa5…

MALICIOUS

PDF

82.1 KB Created: 2021-04-09 01:57:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6a0e627e9b39e67b2aa0b2296c45897 SHA-1: dc1e2e802f16039507facc4c703723bb8eeeee03 SHA-256: bcf1b2cca3a85fa53cdeedab6a66acf1bd4645ea0f5882a5d2397b64fbbcf19d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it is likely a phishing or trojan delivery mechanism. The document body, though heavily obfuscated, suggests a lure related to 'Ms excel 2007 complete tutorial pdf free download'. The presence of numerous external links, including a link farm heuristic, points towards an attempt to redirect users to malicious sites or download further payloads. No scripts were extracted, but the PDF structure and heuristics suggest it is designed to exploit vulnerabilities or trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8631

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=ms+excel+2007+complete+tutorial+pdf+free+download
    • https://pukelubaluwo.weebly.com/uploads/1/3/4/7/134741361/31949.pdf
    • http://hyipinvest.site/zosodefinafiv7zp0.pdf
    • http://medyayazilimtr.com/pipajededokibudurujaponuamqp.pdf
    • https://cdn.sqhk.co/kisudosus/diihjjg/93941134083.pdf
    • https://cdn.sqhk.co/xeliwiwogivo/aijILii/doom_movie_trailer_2019.pdf
    • https://cdn.sqhk.co/wekaradukuve/hcuOics/80275658555.pdf
    • https://cdn.sqhk.co/keximovib/yByghgd/tatowunidato.pdf
    • http://itravelgr.com/ravivaqyr47.pdf
    • https://cdn.sqhk.co/wepiwojeta/eAhfDhe/39989144921.pdf
    • https://cdn.sqhk.co/gokarunedod/a5TRhfJ/17674446175.pdf
    • http://italia-doc.space/92544160449349qz.pdf
    • http://salonop.xyz/14128899031opdos.pdf
    • https://cdn.sqhk.co/baxewoxevum/hficoNC/52321853660.pdf
    • http://storeeu.info/76267908624rpvts.pdf
    • https://dutajedi.weebly.com/uploads/1/3/5/9/135964159/946ac8e.pdf
    • http://save50it.pro/wezugav2k3z.pdf
    • https://cdn.sqhk.co/xidafigutoxa/3ggnSWE/48275436622.pdf
    • http://zavudonalu.66ghz.com/fixunenadezufadalaxow.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://mofaxufotema.rf.gd/drivers_hp_laserjet_1012_para_windows_10.pdf
    • http://jegovogetaferop.epizy.com/types_of_formal_letters_examples.pdf
    • http://zokexobakinujez.epizy.com/navy_tech_school.pdf
    • http://watifisur.rf.gd/27727483184.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f880.bin
37040eebf2f28a940ccd062cc06b284b83d956ad81659f4effb7d8ea391be4ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF880 5700 bytes
font_01_sfnt_off00010bef.bin
bc56c0ca977481378e5fa316c4b2ab986f899ba155664a5c8c4a55c3794fc45e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BEF 11688 bytes
font_02_sfnt_off000133cf.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133CF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.