Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6cb18863d6daa5f…

MALICIOUS

PDF

69.9 KB Created: 2021-04-05 07:07:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 33b7e4bb4355f679fd3d819484c9e785 SHA-1: 2378fcc30050726522e4b763cd67479db5c930b9 SHA-256: c6cb18863d6daa5f63fb4bf23a6b67ffcb11910454bd422aeb8ef72c3a98b99f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a link farm, with a primary URL pointing to 'unblocked games'. This heuristic, combined with ClamAV detection and ML classification, strongly suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and numerous external links indicate an intent to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=unblocked+games+at+unblocked
    • https://kakoxisowi.weebly.com/uploads/1/3/4/3/134358665/6265911.pdf
    • http://medtechnika1.ru/helly_hansen_life_jacket_size_guidegcs80.pdf
    • http://carinsusa.com/2d_animation_books_free6epzm.pdf
    • http://pasendapp.online/how_to_get_windows_on_macbook_pro_for_free0l1gf.pdf
    • https://winakafefumo.weebly.com/uploads/1/3/1/3/131397983/guvedojadugus.pdf
    • http://kernig.pro/elias_oraba_coro_tabernaculo_letra4be9d.pdf
    • https://visosoduvevup.weebly.com/uploads/1/3/4/2/134234588/fulagudezotevabukuza.pdf
    • https://timifuxi.weebly.com/uploads/1/3/4/6/134676324/85df1.pdf
    • https://bekedurid.weebly.com/uploads/1/3/0/8/130874189/vilevo.pdf
    • http://podarokinsta24.online/b._ed_degree_form_aioucbtb7.pdf
    • https://navemozozaju.weebly.com/uploads/1/3/1/1/131164567/4788891.pdf
    • http://kpupnov.pro/architecture_d_intrieur_formation4xwvl.pdf
    • http://tifusavegapawuf.mygamesonline.org/85846675371.pdf
    • https://valodoxajub.weebly.com/uploads/1/3/4/4/134435871/bovolofawelapokojike.pdf
    • http://ruvujagefeko.mygamesonline.org/wu_tang_clan_series_next_episode.pdf
    • https://zadobixif.weebly.com/uploads/1/3/1/4/131437920/basuguluwoki.pdf
    • http://vofufime.mypressonline.com/all_about_me_worksheet_free.pdf
    • http://lnstagram-office.com/jelazopamezulapesnafq.pdf
    • http://hotgirls.host/9428584777450cl5.pdf
    • https://suzeziji.weebly.com/uploads/1/3/0/7/130739492/fafol.pdf
    • http://crawlmqyu.space/907290785655mgoy.pdf
    • http://latuha.com/binomial_theorem_booku490d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_ab2e5cde26e446f8bd0d146f93f25e32.pdf?index=true
    • https://b9b086bb-db5c-4c47-b99c-4ca3d8c772c1.filesusr.com/ugd/c090b7_9bfc13188fc542bb82ebdb43e8b58e07.pdf?index=true
    • https://1ec9b6e7-17eb-4e1e-a994-ba5ce4cbdb7c.filesusr.com/ugd/d4a9d6_6ff35c070d8141149e7949b5a17adbe5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d409.bin
e9a58e844e0e1ab458a4b6681045d6b242affdb47ce35bf5ad6bf2581e412d5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD409 5356 bytes
font_01_sfnt_off0000e637.bin
f5d536b7ea2ed53e5c5eb06323ed0a3d2ecddc4d4aa7d826001e3ece07632db0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE637 10616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.