Malicious PDF — malware analysis report

Static analysis result for SHA-256 d693c89909dcc76c…

MALICIOUS

PDF

83.4 KB Created: 2021-04-01 01:34:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60788c0c057cec668607b0f6cb07ee97 SHA-1: 4919a88649441fa4311d931f20772add8b5d4ee1 SHA-256: d693c89909dcc76c90b4d6959927246519c5c89fc9b0554cafab792fd9186273
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are generated SEO-style links, indicating a link farm or phishing attempt. The ML classifier and ClamAV both flagged this PDF as malicious, specifically as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and numerous external URLs suggest it's designed to redirect users to malicious sites, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=cv+maker+lamaran+kerja+pdf+apk
    • https://cdn.sqhk.co/gulijolane/icjagX7/pezilufebibux.pdf
    • https://jeduwisuduxib.weebly.com/uploads/1/3/1/4/131483356/rakamiwejo.pdf
    • https://cdn.sqhk.co/gadujotev/ichdibR/new_email_template_outlook_2010.pdf
    • http://banki-internetowe.com/16367618373wygc9.pdf
    • https://perufagumitaxa.weebly.com/uploads/1/3/0/7/130738779/63bad48c13aa.pdf
    • http://spoonnumberone.xyz/vizupanasodivobozade628zm.pdf
    • http://dalutufajako.22web.org/holy_bible_good_news_translation_catholic_edition.pdf
    • https://cdn.sqhk.co/ledirevobep/aqgg9XX/nostalgia_meaning_in_telugu.pdf
    • https://cdn.sqhk.co/wojusipi/bKQjijb/kojilosinopatiromusi.pdf
    • https://xepekozodixati.weebly.com/uploads/1/3/5/3/135346226/zofenalerusumipif.pdf
    • https://cdn.sqhk.co/datolabevev/hYhcsn6/32095815981.pdf
    • https://cdn.sqhk.co/pedidagow/fmaA7dl/vinorumejaw.pdf
    • https://zibiputuwe.weebly.com/uploads/1/3/4/8/134886395/77f6cdf.pdf
    • http://lunesygets.xyz/famous_chemists_word_search_answer_keyd7d40.pdf
    • https://makonajarozov.weebly.com/uploads/1/3/4/3/134341931/jamaxetomel.pdf
    • https://cdn.sqhk.co/bisuligiga/iYtxibf/ributinimoresuvat.pdf
    • http://pubguckazan.com/where_she_went_release_date_movief50ai.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_432744dbc69741fc8e49c8d0eb1f9549.pdf?index=true
    • http://gitogopafo.epizy.com/sol_du_ac_in_print_original_marksheet.pdf
    • https://f459ab6e-ac57-43ce-b83a-1524846427e4.filesusr.com/ugd/938c70_c6775c7c911645cda2b075845328802b.pdf?index=true
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_3f2087c16ff940938e9564f4c9975c17.pdf?index=true
    • http://jafimogapevov.rf.gd/29233634325.pdf
    • https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_63b78b9accf348de8c1322f7e5471267.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eed5.bin
a44adf9ee9491913aa3dd0d174918f7344261e953d9874ddc379d9b88b682eea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEED5 5112 bytes
font_01_sfnt_off00010031.bin
6fab6dc941899617d19866836a8ff177cb58fa66dac83186e1dea1ef0c4ce32b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10031 11016 bytes
font_02_sfnt_off000125a3.bin
c102a21448656fb02b98963bc585f708560a5315ef1b9a60982b49063db313e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125A3 17524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.