Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc1f769e01a3d903…

MALICIOUS

PDF

73.2 KB Created: 2021-03-18 04:23:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76f0e813ed470b66367fe139c6524fac SHA-1: 11b28ca278a949881b1863d1ace034c13d6f58d2 SHA-256: cc1f769e01a3d90356a44f0aa77b27ca434aef351f9f145262821dfc7a036a95
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including ML classification and ClamAV, indicating malicious content. The presence of a 'PDF_SEO_LINK_FARM' heuristic and numerous external URLs suggests a phishing or malware distribution attempt. The 'SE_CLICKFIX' heuristic indicates the document may instruct users to execute commands, a common tactic in social engineering attacks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=abbyy+finereader+pdf+to+word+converter
    • http://cesaregaspari.com/64x32bjsm0.pdf
    • http://particulier-societegenerale.xyz/futekazumozojirobkoy6l.pdf
    • http://keysecret.ru/xeduneloxoxabekekagil9711.pdf
    • http://alteramaks.world/business_mathematics_and_statistics_questions_and_answersdi174.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_c1668c8cad1f44d780c3232468623c0b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6956f62b-f1a2-4f3c-9b31-79230a25a0f6/programmable_logic_controller_tamil_meaning.pdf
    • https://d4508431-0eee-4913-ac2a-2ec907ed9b18.filesusr.com/ugd/12daa7_3b4d9db9a44b44078da41f0aa0e4572c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/67182c49-8690-4933-a004-92446154eef4/finite_element_method_book_download.pdf
    • https://s3.amazonaws.com/tesodagiwor/tezuni.pdf
    • https://s3.amazonaws.com/napoledunadigo/kozebinatebivejarizizekep.pdf
    • https://3bdad275-8828-414d-9063-9532e035d791.filesusr.com/ugd/c67d0c_07adf004bef14ece92d8c09626aa0787.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fbe01fd8-c792-4593-bb79-0afefc3e0ff9/general_intelligence__reasoning_questions_and_answers_for_ssc_cgl_free_download.pdf
    • https://676a7a22-5bec-432e-92e0-9d4a0a27851c.filesusr.com/ugd/a1fb72_b7f473f490ab4394b773c21f53807515.pdf?index=true
    • https://df6a9abb-74f3-47e1-b359-fe6d1019da36.filesusr.com/ugd/7921d2_cdbd2a2bd49a4c9cbb9e71a5dabebb87.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9b0a69b1-562f-448d-8f19-c105cf321ce0/how_hard_is_aws_certification_reddit.pdf
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_e90731fe80fe4fe0987c48a7d7298ff8.pdf?index=true
    • https://ecfc1f44-6648-4072-bff5-6ee4adcfbe4f.filesusr.com/ugd/e5a943_12b68e0ed19e49768286c185ce73362a.pdf?index=true
    • https://s3.amazonaws.com/fadobirak/pamit.pdf
    • https://6131fb9f-3080-406c-a6ab-c4686b6a2f6f.filesusr.com/ugd/52be6f_6940886ad32c41eb9d11d13b383910bf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e12a.bin
9f327ea992bcb4f654b9fb563139781e19af2dafa527b9a4ea81c3c5438cc350		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE12A 5324 bytes
font_01_sfnt_off0000f370.bin
4ad8f0c1f4d21998d12c582596d5e92e710ef61e96b67844aec4a407937ea2f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF370 10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.