Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9c040fe85f9b671…

MALICIOUS

PDF

79.6 KB Created: 2021-04-05 19:30:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8becc9487a7c213da8e1f5b094a96bb2 SHA-1: d2c1af74f86c4df734443892864190d1410244b1 SHA-256: d9c040fe85f9b67152668681baf595453badcb1965dc2fc45d1b6b2d102ec208
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, identified as a link farm, and is flagged by ML classifiers and ClamAV as malicious. The document's content, though heavily obfuscated, appears to be a lure for 'Whatsapp plus free for iphone 5', suggesting a phishing or malware distribution attempt. The presence of numerous Weebly-hosted PDF files indicates a coordinated effort to host malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=whatsapp+plus+free++for+iphone+5
    • https://ledobosu.weebly.com/uploads/1/3/1/3/131383424/5f8b9f403e44.pdf
    • https://rikolalevagamer.weebly.com/uploads/1/3/1/1/131164452/967493.pdf
    • https://nakoginav.weebly.com/uploads/1/3/0/7/130776809/4043125.pdf
    • https://loxerujose.weebly.com/uploads/1/3/0/7/130775489/9b17b2e7d2e8f8.pdf
    • https://xosavufubat.weebly.com/uploads/1/3/4/3/134346154/7507814.pdf
    • http://shoop-fo.ru/79069600127oluyk.pdf
    • https://faxusonugavipil.weebly.com/uploads/1/3/4/7/134741565/2872864.pdf
    • https://nibivesulekot.weebly.com/uploads/1/3/4/0/134017222/9fdf49.pdf
    • http://netopodimamo.mywebcommunity.org/kumisufumisa.pdf
    • http://lomilinixigal.mypressonline.com/adosphere_2_livre_du_professeur.pdf
    • http://temppicture.xyz/54911676938bgqqk.pdf
    • http://studytogether.fun/compromise_of_1850_worksheetjsutp.pdf
    • http://puxegosabax.22web.org/mcculloch_pro_mac_610_chainsaw_chain.pdf
    • https://valejuti.weebly.com/uploads/1/3/0/7/130739952/dozimomad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lesodabat.epizy.com/suwolafipoluforofujew.pdf
    • https://s3.amazonaws.com/lukepepe/5310552954.pdf
    • http://rewuwuja.onlinewebshop.net/41703294502.pdf
    • https://s3.amazonaws.com/bupaxomu/50463869639.pdf
    • https://s3.amazonaws.com/voxipanovigepiv/66321437450.pdf
    • http://pivotigapux.rf.gd/tetivibagekonudim.pdf
    • http://nawonuzegajosi.epizy.com/continuous_casting_of_steel_process.pdf
    • https://s3.amazonaws.com/gofiguj/when_to_use_raw_pointers_over_smart_pointers.pdf
    • https://s3.amazonaws.com/xijilesuzuxo/how_to_make_a_full_size_loft_bed_frame.pdf
    • http://futikuzita.onlinewebshop.net/muponadapozanelovadeg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb26.bin
09008e26b69bf0df94da601129efe70521ec0aca9afa831c3d4c290882b8be3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB26 5128 bytes
font_01_sfnt_off00010ca4.bin
b44daedcae1e3843029a0e793443a7250f0d9b2a38be6aef730ab957fd403dbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA4 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.