Malicious PDF — malware analysis report

Static analysis result for SHA-256 d407a7f6a3834dc8…

MALICIOUS

PDF

78.4 KB Created: 2021-04-06 03:08:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0ec04926ea185f57d716ca2b76c777c SHA-1: e3f22f5af70dec8e2f279e2a6820f6b2a76edcc2 SHA-256: d407a7f6a3834dc8ed4f07d1ada5e283c9a6f8b8db862f0893fb86d4669da2c5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used to redirect users to malicious websites for phishing or to download further payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URIs suggest an attempt to exploit users through deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=national+water+and+wastewater+engineering+company
    • https://static.s123-cdn-static.com/uploads/4451563/normal_60062bc088d93.pdf
    • http://bevasesebesed.iblogger.org/annual_report_of_wipro_2014-_15.pdf
    • https://static.s123-cdn-static.com/uploads/4420767/normal_5feffd7a8f119.pdf
    • http://vexezujuzas.scienceontheweb.net/basis_bilangan_bulat.pdf
    • http://kopogaxepaku.sportsontheweb.net/dokusov.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nakepusigazu.epizy.com/army_navy_game_uniforms_2019.pdf
    • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_e9fb7e4f09f54790b346634639d1f2f8.pdf?index=true
    • http://puzegekizizovin.epizy.com/31898869642.pdf
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_1c32eb144ab24dc59b72dceaceb46f96.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d9293922-f65c-4046-a5c5-8c3560f62e27/how_to_answer_interview_questions_for_retail.pdf
    • https://uploads.strikinglycdn.com/files/10f48fb1-01be-45f6-85fe-d7010724d37e/finawisubomaku.pdf
    • https://uploads.strikinglycdn.com/files/f912b935-e88f-4339-bb81-fd4f6d8a863a/lemuwozijora.pdf
    • http://xanijidul.epizy.com/linapomip.pdf
    • https://ddb0fe67-a09a-413d-b59a-c21b1dde3186.filesusr.com/ugd/3f0e57_698d483f05574b4f960b85491937c48a.pdf?index=true
    • https://f4e740b0-69d0-4d5c-a0c7-362dc6b2ad6d.filesusr.com/ugd/0356fc_9b52c6d985394c95a55327ba405b1b91.pdf?index=true
    • https://uploads.strikinglycdn.com/files/367958c1-139f-4517-8d57-060e44c8f12e/flavor_wave_oven_deluxe_cooking_times.pdf
    • https://uploads.strikinglycdn.com/files/fc8e60e8-f281-4346-9f60-9574cd5fac9b/things_fall_apart_chapter_14_summary.pdf
    • https://uploads.strikinglycdn.com/files/8b6386ba-fb0a-42a2-8252-75c1bdb66975/tubogivuxusuxazub.pdf
    • https://uploads.strikinglycdn.com/files/60ff36ed-e9e2-4451-bb53-b8ae83ba6ddf/how_to_reset_zebra_gk420d_printer.pdf
    • https://uploads.strikinglycdn.com/files/fd68fac8-b69a-416c-8b52-3d503b08724a/sennheiser_rs_175_headset_only.pdf
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_639de2fd5ed64045851e00608547ff9c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ddaf67f9-53af-43ce-9eb4-5610fd0f2aa0/electribe_2_sampler_synth_engine.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8bd.bin
2bb3341fd59df782cb91a1bab4c490ce8b50d0e531fc51125087411ebedfe160		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8BD 5556 bytes
font_01_sfnt_off0000ebae.bin
8b02a68aaa74dab0d475ea115d864b09b82b8cb3f39fbf3f91ce8605906512e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBAE 10072 bytes
font_02_sfnt_off00010e71.bin
b81b859db290a32e5f5c7ca7dcad6f067d11cc0aa3540ede786fe105411a2091		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E71 17988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.