Malicious PDF — malware analysis report

Static analysis result for SHA-256 d188e0a768627d69…

MALICIOUS

PDF

79.2 KB Created: 2021-03-06 09:15:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 0a6da500f84064d32dd9565470885ee7 SHA-1: 64edbd394486d971c72706d998fd78a52a904a4b SHA-256: d188e0a768627d69f72dc7574d511cf0f0e7c04f16bbc7721fa4eb3c995b8f43
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are generated to appear as SEO-friendly content, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, specifically identified as a phishing trojan. The document body, though heavily obfuscated, contains keywords related to 'vet tech programs' and the authoring application 'wkhtmltopdf', suggesting a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/aws?utm_term=best+vet+tech+programs+near+me PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4405930/normal_5ff1624f8dcfe.pdfIn PDF document text
    • http://fefuzebamag.iblogger.org/hp_8000_elite_manual.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393624/normal_601b835d2da3d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://eed7fa7e-4f31-4ba6-8269-e73f07ac74c5.filesusr.com/ugd/93374d_c8abcec1ca8b4f23801ba62631c8e9a3.pdf?index=trueIn PDF document text
    • https://16e729f2-8c5c-4787-b670-14aeba6c5e03.filesusr.com/ugd/ac55e2_401369af77ad45b380430310554a10dc.pdf?index=trueIn PDF document text
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_72efef030ef34fb4bef8cd8f896222ed.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/10dfdc8c-e1ec-491a-8445-7d3fda1daa3e/73609186371.pdfIn PDF document text
    • https://s3.amazonaws.com/gajakelegeza/sesupivemaxobagiweselipov.pdfIn PDF document text
    • http://wemikovovafebo.epizy.com/aircraft_carrier_alliance.pdfIn PDF document text
    • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_001bde65c4d241b4a06a6c95c5679375.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zuvovoxigumuz/zekuvawun.pdfIn PDF document text
    • https://s3.amazonaws.com/vabedafozo/free_german_language_books_for_beginners.pdfIn PDF document text
    • https://ddf64d59-5240-4154-9987-17dfc28e22c7.filesusr.com/ugd/cec570_0a9397d4cb7849bba19c99ad71d5dce4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/davubewu/jarrod_radnich_harry_potter_sheet_music.pdfIn PDF document text
    • https://s3.amazonaws.com/rozebofukixus/poduzux.pdfIn PDF document text
    • https://s3.amazonaws.com/vibuvomomuv/instagram_symbol_png.pdfIn PDF document text
    • https://s3.amazonaws.com/xirixepo/imagem_de_chapeu_de_formatura_em_png.pdfIn PDF document text
    • https://s3.amazonaws.com/webipejonavuv/keritizodovelewa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88927643-337b-484c-8773-a070df79e0a8/betego.pdfIn PDF document text
    • https://s3.amazonaws.com/mixanaz/viper_7752v_remote_charger.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA02 5424 bytes
SHA-256: 7f982feced7c8e95495de729a58e8518e84f0435220a278b47aa0321b54d301d
font_01_sfnt_off00010c5b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C5B 10364 bytes
SHA-256: 5d74e8a27a3c3d24974357dda166512632aea9647b66f7b5c7f1ce16fece56f3

Open this report in the interactive analyzer, or submit your own file for analysis.