Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9682b87e7196935…

MALICIOUS

PDF

79.5 KB Created: 2021-03-21 00:57:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47c50f7175cb92b7e8c2d93171966923 SHA-1: 99af315a3b16a34dadb550ba41104128e7f2d01b SHA-256: c9682b87e71969354acd0a4b1ca3c071b647aada0a471c7e0c85d2997d4f5353
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a 'link farm' by heuristics, suggesting an attempt to drive traffic to potentially malicious websites. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs point towards a common tactic of using documents as lures to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=teaching+approaches+methods+and+techniques+pdf
    • https://nifabixiguwo.weebly.com/uploads/1/3/5/2/135295020/d772ebd1d3b3b9.pdf
    • http://vienvozvrat.site/639579069471w7pf.pdf
    • https://cdn.sqhk.co/navimoxa/hajztgs/jamman_looper_footswitch.pdf
    • http://lnstagramlivesupportcenter.com/tissot_t_touch_classic_user_manual8iyv7.pdf
    • https://cdn.sqhk.co/jeporikate/zsMihje/super_go_kart_for_sale_in_gauteng.pdf
    • http://operationhomeplate.com/tizewigifujagubutesmq13.pdf
    • http://ductsunlimitedins.com/factoring_quadratics_a_math-_drills._com_answersi0zug.pdf
    • http://limuzinof.ru/how_do_you_set_up_tv_earssuzhq.pdf
    • https://cdn.sqhk.co/titusegik/hdhfggh/miditoranisoxox.pdf
    • http://chempion.coffee/15903322905yjx6c.pdf
    • https://rutebesutev.weebly.com/uploads/1/3/4/1/134131531/8922193.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1e438cd7-6f3b-42ac-a97b-d13a75fa135b.filesusr.com/ugd/0c268c_22d015ebfa274cfc8d69818f6d3b3857.pdf?index=true
    • https://2e4d99de-9d37-4ce2-abd5-0bbccafdbe51.filesusr.com/ugd/33a2e4_3b39ad86db4c439aa68f88dbb0b46971.pdf?index=true
    • https://f499a9ea-5579-4d3c-a180-ba191067f9b7.filesusr.com/ugd/34ec99_d1510c414ef844c99ca1bfd9f1760cdc.pdf?index=true
    • https://3d7c42e8-cad9-4196-8f3c-0f210fd97588.filesusr.com/ugd/1b7c00_4d3d22d6c5d74239a6416010cdd26426.pdf?index=true
    • https://42cc6f6d-9125-48bc-bce4-1bf15f49b1be.filesusr.com/ugd/7c30af_e5e9f612f04348d2a1331e5c1bba4f51.pdf?index=true
    • https://6a421494-2577-4416-904f-e17348f56b63.filesusr.com/ugd/85e76a_fd3e6eec970541e5a2f732f47acc7b1d.pdf?index=true
    • https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_20c91d4b71f743368879cf1e542e91e2.pdf?index=true
    • https://2f60c0de-bae8-48d8-8f3f-ce7907f87c52.filesusr.com/ugd/badafb_a8e82d9cd9994dd4b7647b5cf98b2574.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f617.bin
ddcdc9a1947fb30b3ddb1a8b5afb6ef5f8e8fc49bdf73a7644cf700cfd43bd91		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF617 5612 bytes
font_01_sfnt_off000108fa.bin
b03149fbf4d365b72d0ef05a92233156196b76972fa8faf50890f06fdf35a435		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108FA 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.