Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6b76391f37480ad…

MALICIOUS

PDF

91.4 KB Created: 2021-03-28 23:29:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bddf20b3acb82de6169df2574f6d2f1f SHA-1: 1f54d46b7b61c77a1888f8b67b619516d8a9c371 SHA-256: c6b76391f37480ade059ac82e2a2a16253e1957921def0010822d450fe5e9681
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or distributing further malware. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=pioneer+bdr-xd05b+vs+bdr-xd07b
    • http://jusapp.club/626669407089dxbw.pdf
    • http://proita.fun/diferencias_entre_los_animales_y_los_seres_humanose9oga.pdf
    • https://pumaxodevuk.weebly.com/uploads/1/3/1/8/131872084/c56a8.pdf
    • http://reliables.ru/72475777535ppq4n.pdf
    • https://cdn.sqhk.co/wekajibex/gjjhiaR/raid_shadow_legends_champions_to_keep.pdf
    • https://cdn.sqhk.co/nuzinipaz/QiaPpje/cotton_classing_usda.pdf
    • http://fresh-ita.fun/najoborimelaxodarigfssd.pdf
    • https://mirodogewe.weebly.com/uploads/1/3/4/8/134861862/9001977.pdf
    • http://ch-redirect.icu/watts_premier_ro-pure_replacement_faucetcbzzf.pdf
    • https://rixikevepu.weebly.com/uploads/1/3/1/4/131408169/dokadanabadepivuzi.pdf
    • https://lodufokokafapav.weebly.com/uploads/1/3/5/3/135346761/todesupogafi.pdf
    • https://cdn.sqhk.co/fugovigul/jcwjfja/image_d_un_singe_qui_mange_une_banane.pdf
    • https://cdn.sqhk.co/ranetixeba/Ooifjaw/41815676838.pdf
    • http://bigpleasure.ru/jezivuruwab4kv1.pdf
    • http://rawenspant.online/35345304524jfcwh.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://bc732cde-fb09-4fee-8ab5-c82a45a1131b.filesusr.com/ugd/2ac701_f4b3e67c116d41509836b51a6206f326.pdf?index=true
    • https://d497f082-4895-42de-a72c-038d9367c8a3.filesusr.com/ugd/8e727b_eca944e253694e7dbac25dc465ab3899.pdf?index=true
    • https://cd70d4e5-4a1a-4071-96d1-f2415ea5ece1.filesusr.com/ugd/7f46b5_46c93e3cf367440a92022a6e1f535891.pdf?index=true
    • https://6fd4412c-3e6e-4f21-a9af-8137ffc6c0d9.filesusr.com/ugd/03469c_e314bb03ec574ab0926930e2617d4869.pdf?index=true
    • https://64e18f06-8a0e-4dc1-8427-9dd81b4bff36.filesusr.com/ugd/baa514_018318610b034d638ae160765caf2506.pdf?index=true
    • https://a32e93c2-1aa3-4149-af29-aa5d163ab988.filesusr.com/ugd/40336e_ca6b6fa46742473da3d82cc48e262dff.pdf?index=true
    • https://afa032df-bfad-47da-a9c8-c79260182993.filesusr.com/ugd/6f9b04_1d55516466e44e4eac9d796a6738a61e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001104e.bin
76bde49cef77a829f3cfe3bf5f3272ab8af69e721fb1c32b863c6f8d1918ea47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1104E 5224 bytes
font_01_sfnt_off0001223a.bin
7e86c5d7ab23dd1910e6a7db2b2a3a72c95cfab6bd4ac09bc75d7fc590691371		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1223A 11536 bytes
font_02_sfnt_off00014982.bin
7ccd8150e2c48a9748994740f2a0713563e2bc66516285f786c138bc0577823a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14982 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.