Malicious PDF — malware analysis report

Static analysis result for SHA-256 d04c9a3d4e016c30…

MALICIOUS

PDF

86.4 KB Created: 2021-03-30 11:23:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 018b57c7a5c10d1755c63b1e1af5be82 SHA-1: 991a6c148615b16549d07ba586123e8bcbafb0dc SHA-256: d04c9a3d4e016c30ce1988cb39862655fe25c03a135d3c3a7459e91c1fdb02ce
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of a callback phishing or tech-support scam, as indicated by the 'SE_CALLBACK_LURE' heuristic. It contains a large number of external links, many of which are dynamically generated, suggesting a link farm designed to improve search engine ranking for unrelated topics. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score point towards malicious intent, likely to direct users to malicious sites or initiate fraudulent contact.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=sat+test+august+2020+cancelled
    • https://cdn.sqhk.co/kinubowa/iRYjZhi/onkyo_hf_player_unlocker_review.pdf
    • https://cdn.sqhk.co/vunelebu/CTvDgcB/85104265707.pdf
    • https://cdn.sqhk.co/sadudolamom/uOB0Fib/him_gay_dating_chat_app.pdf
    • https://cdn.sqhk.co/tefaxobaf/igVghje/cashflow_the_investing_game_apk_full.pdf
    • https://cdn.sqhk.co/pigajifaw/DfHUrjc/how_to_loot_pull_the_pin.pdf
    • https://cdn.sqhk.co/ketegobuto/gghggjc/car_racing_games_unblocked_weebly.pdf
    • https://cdn.sqhk.co/pibilebomek/hcjiuhd/tufukavasoref.pdf
    • https://cdn.sqhk.co/nepajenine/riewhdY/28398698147.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/ronenitevodo/98940107928.pdf
    • https://s3.amazonaws.com/posufij/ditegozalob.pdf
    • https://5fc21e60-8324-4589-92a2-9ffbe60b24fc.filesusr.com/ugd/3bcfef_ac069149fbaf4620b7ab366d02f9c480.pdf?index=true
    • https://uploads.strikinglycdn.com/files/33407e65-5aca-4cbf-83d7-72934b2f9b23/how_to_remove_light_fixture_from_hampton_bay_ceiling_fan.pdf
    • https://1ec9b6e7-17eb-4e1e-a994-ba5ce4cbdb7c.filesusr.com/ugd/d4a9d6_4a624280f6764e8c8897bd373e3b0a72.pdf?index=true
    • https://45f0f727-c607-4398-b3b7-8b42e23b21b2.filesusr.com/ugd/0a84ca_81f86ac44df1479a8281fd18b3d48e05.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7e1016dc-5e1b-45d3-ae6a-0e8b9289dbec/keluguwunazo.pdf
    • https://4c8cc264-4606-483b-a6fd-3ab48ba5c15a.filesusr.com/ugd/c626f4_ca27ab62905b4d7196b3c5cadbbaec91.pdf?index=true
    • https://uploads.strikinglycdn.com/files/227b926b-e1c2-4286-a6c6-960f32b53769/86618081684.pdf
    • https://s3.amazonaws.com/zoromexemuzid/how_to_reset_passcode_on_iphone_6s_without_computer.pdf
    • https://uploads.strikinglycdn.com/files/2290de16-bdda-4f70-a9b0-b7a13228ea19/domiwokuwijamipigubux.pdf
    • https://e4034479-4ead-418b-af8c-5be8dc72bdbe.filesusr.com/ugd/1e8759_19233923135c4aeb848d9c24b07f4957.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011466.bin
d97e7c17dee9fae6f3a62e1b38751522164ba8468926d873df097d4ec4899e36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11466 5388 bytes
font_01_sfnt_off000126c8.bin
52cd41ec45eb1513429b2ad97522b80ae7cb90b48962b16a78dae1293339e789		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126C8 11112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.