Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8eb88fa7b6aedfc…

MALICIOUS

PDF

76.0 KB Created: 2021-03-18 08:17:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6eccfe55b14df6fb8c4df8eae5614549 SHA-1: 93491acfc7cfc71920799871d68091952868240e SHA-256: d8eb88fa7b6aedfc648ee7697d8afa8a0c24ec4a024e30e34646365b02322a34
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external resources, indicating a link farm or phishing attempt. One critical heuristic identified a link to known malicious redirector infrastructure. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wix?keyword=abiotic+factors+in+a+coral+reef
    • https://cdn.sqhk.co/melipetoluf/4Khcbgc/manly_backgrounds_for_iphone.pdf
    • https://cdn.sqhk.co/jikogifuxa/cml6tgi/pet_friendly_accommodation_near_bright.pdf
    • http://kijekidajefi.getenjoyment.net/47235716750.pdf
    • https://xevumijujivo.weebly.com/uploads/1/3/1/3/131383583/4036752.pdf
    • https://cdn.sqhk.co/bozutebux/gdmPRX7/door_slammers_1_gold_glitch_ios.pdf
    • https://jarofipe.weebly.com/uploads/1/3/1/4/131408229/najisubugo.pdf
    • https://cdn.sqhk.co/wapogade/1ibRhdX/plague_inc_scenario_creator_mod_apk.pdf
    • https://cdn.sqhk.co/zapevexuvot/hfG1tzu/jeopardy_buzzer_soundboard.pdf
    • https://cdn.sqhk.co/zaweniwefi/gjlbNib/85618383177.pdf
    • https://cdn.sqhk.co/tofatuxurejo/gjJt9gg/log_thrower_mod_apk_no_ads.pdf
    • https://cdn.sqhk.co/butiluluvuk/lNJkZCj/5407752762.pdf
    • http://tuzogat.sportsontheweb.net/7640670888.pdf
    • http://zodelem.mygamesonline.org/.pdf
    • https://cdn.sqhk.co/sixepatexup/g3kijwZ/xubufigobupewab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://aefbb2f1-1cfc-4a48-aab2-d72547d84173.filesusr.com/ugd/2f3ac6_81efc2ae4be44c208aa1364b537bd16a.pdf?index=true
    • http://josetevuj.epizy.com/crash_bandicoot_1_guide.pdf
    • http://vizomonuzujo.onlinewebshop.net/atrocity_act_1989_in_marathi.pdf
    • https://69f6cc44-9198-4e41-bafa-43503dba92bf.filesusr.com/ugd/dec231_6a895443812a4abf81af34b22d46c9f8.pdf?index=true
    • https://61249681-e2d1-4375-841a-b3723294d79c.filesusr.com/ugd/3d514e_67723676e2b4419b8c7a66f04c0f5990.pdf?index=true
    • http://wagadepepixapu.epizy.com/imax_b6ac_v2_manuale_italiano.pdf
    • http://mevonaku.rf.gd/novawofisenimolufoti.pdf
    • https://b3a1a1c9-4f8f-4fb8-b7cc-7339030cc889.filesusr.com/ugd/162fe6_a2dde174b1704951883fcc190859b2a3.pdf?index=true
    • http://kavisawadafo.epizy.com/developmental_tasks_of_early_adulthood.pdf
    • http://xekazaz.myartsonline.com/ravatofisoxopiti.pdf
    • https://f7927488-8152-43cb-a667-e231f58cc5c5.filesusr.com/ugd/950cc9_9d1da7d6ee954e4ca945229f16fe2a32.pdf?index=true
    • http://sobavetugobi.epizy.com/what_does_service_rsc_mean.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec35.bin
5914d44a787da5991b3cc2d62628b46ee53e481f473ce24f1556562cdbb24889		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC35 5004 bytes
font_01_sfnt_off0000fd4a.bin
57dd7185c149a6a8228a5081c51eab5a866549bbd5798800c6d75e1b98cb8fc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD4A 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.