Malicious PDF — malware analysis report

Static analysis result for SHA-256 d74a9f5adad3a028…

MALICIOUS

PDF

89.7 KB Created: 2021-03-23 21:46:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84711410f98e4820a4b670492329639c SHA-1: 75f861aab310c39785ec92cd322abda2f8f5ae0b SHA-256: d74a9f5adad3a0284e6670b294b845852f0da6f7e1a7d4d464f187f42dc73eac
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, a common tactic for distributing malware or phishing content. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a malicious intent to redirect users. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' further supports the malicious classification. The document body, though garbled, contains a URL that appears to be a lure for information related to a coffee maker, likely a pretext to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=how+to+use+krups+coffee+maker+with+grinder
    • https://xexogabowagub.weebly.com/uploads/1/3/4/4/134438270/xagiwud.pdf
    • https://najabokaxosol.weebly.com/uploads/1/3/5/3/135300306/9050311.pdf
    • https://luludosob.weebly.com/uploads/1/3/4/7/134703274/petowawiraj.pdf
    • https://cdn.sqhk.co/laxegipo/EB5gijQ/project_budget_tracking_template_xls.pdf
    • https://napuguzexavuzes.weebly.com/uploads/1/3/4/8/134875267/a4a257b.pdf
    • https://rovorakule.weebly.com/uploads/1/3/4/7/134774255/punuxulominafiwiza.pdf
    • https://cdn.sqhk.co/pixorabuzep/ge3VjfQ/lamia_report_roh.pdf
    • https://nixejinalir.weebly.com/uploads/1/3/4/3/134321479/xutodopopitifuz_fobekitalu_bijituwu_wejamolex.pdf
    • https://nutukotixirijir.weebly.com/uploads/1/3/5/3/135392142/2984938.pdf
    • https://lasonitukaxo.weebly.com/uploads/1/3/4/8/134889758/wibiwidef.pdf
    • https://pavibizad.weebly.com/uploads/1/3/0/7/130740264/7430041.pdf
    • https://cdn.sqhk.co/vemetafije/mIgihdR/how_many_rockets_fired_into_israel_today.pdf
    • https://cdn.sqhk.co/pakebisas/jbibiaJ/super_saturday_adventure_landing.pdf
    • https://cdn.sqhk.co/sawomunuj/gijeNzz/bilefikusixerezugatelawix.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lazolu/lozilanul.pdf
    • https://uploads.strikinglycdn.com/files/4fe5e227-6467-449d-85b8-689f232563a2/86869160468.pdf
    • https://1160a196-6e18-49bd-931c-438029629b47.filesusr.com/ugd/40338c_c18ea127cf1647d5a3b07bbfacc51778.pdf?index=true
    • https://f770b3d7-c897-40e0-9323-5ad0abd91552.filesusr.com/ugd/1fa6dd_617945f2a37e4fa4a7792780a9d1c6cd.pdf?index=true
    • https://s3.amazonaws.com/nakuzafol/redhead_gun_safe_electronic_lock_replacement.pdf
    • https://7737876a-f762-42ef-af6f-18b78abacabf.filesusr.com/ugd/9066bd_43e409eabfc84768a8c210a26bea7ed8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/89192a51-82e5-49c3-a241-ba9db7fa73af/simple_and_compound_interest_worksheets_grade_8.pdf
    • https://s3.amazonaws.com/jajuzasalikirut/88740951864.pdf
    • https://91506351-5699-48ce-85e7-8e7d071f4e87.filesusr.com/ugd/d775a9_e7113c9231dd43299467f1c40609479f.pdf?index=true
    • https://s3.amazonaws.com/wipotegadodorek/furuduposopojo.pdf
    • https://uploads.strikinglycdn.com/files/8a428822-57ad-4754-8723-7a7baf6d8b9d/external_battery_charger_for_nikon_coolpix_p520.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001209a.bin
9faffc312c49a97d65a24f1cc16bd5d842aa4590cfc248c40a8d8309b3b6ead7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1209A 5656 bytes
font_01_sfnt_off000133c2.bin
3c7152cf70fd9befae27ac8841e61a4c84e49034740879118bd89404ecabbc0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133C2 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.