Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9c3b5ea5938a2ac…

MALICIOUS

PDF

78.2 KB Created: 2021-03-01 07:52:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd25e6e68f7c198d77b0eab1496cbb48 SHA-1: d6beda3539b960aee9c6c9086e09f86c5e0c62b1 SHA-256: d9c3b5ea5938a2aca9eb17e43108175eed6f62d640c29181e746ae8fe5a06d3a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. It contains numerous external links, with a critical heuristic identifying it as a link farm. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.Trojan. The presence of embedded URLs and the overall structure suggest an attempt to direct users to potentially harmful websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=black+owned+ice+cream+shop+chicago
    • https://xasukibumit.weebly.com/uploads/1/3/4/7/134749231/633cbbd0c.pdf
    • https://cdn-cms.f-static.net/uploads/4365608/normal_5fdc52fc33c99.pdf
    • https://cdn.sqhk.co/leluforeref/jChihcf/damunegur.pdf
    • https://static.s123-cdn-static.com/uploads/4463266/normal_5fc6409251652.pdf
    • https://cdn-cms.f-static.net/uploads/4384482/normal_60242edb8561e.pdf
    • https://cdn.sqhk.co/dasisogi/Dgfw6D1/28551999491.pdf
    • http://stingeksoj.online/what_does_tom_daleys_husband_dotpeqt.pdf
    • https://cdn.sqhk.co/gopepilexafi/bhfq0Aq/perfect_slices_cut_fruit.pdf
    • https://cdn.sqhk.co/numovasovev/gJihijg/border_patrol_news_laredo.pdf
    • https://cdn.sqhk.co/vibisidumes/hjjgjd9/bad_words_stickers_for_whatsapp_app_download.pdf
    • https://cdn-cms.f-static.net/uploads/4482629/normal_602b363815122.pdf
    • https://cdn.sqhk.co/fekawifen/bamRRhc/41155297997.pdf
    • https://zipuwuxa.weebly.com/uploads/1/3/4/3/134376087/biwimilu_ruwapidowaser_loxatup.pdf
    • https://redumufisinuf.weebly.com/uploads/1/3/1/6/131636648/609e8eeff5.pdf
    • https://cdn.sqhk.co/wogefosa/e61higi/religion_in_china_pie_chart.pdf
    • https://kerumeso.weebly.com/uploads/1/3/4/6/134641164/sozebot-limazik.pdf
    • https://cdn.sqhk.co/wemonamo/7GMhe7z/waxubapabu.pdf
    • https://lexugorubu.weebly.com/uploads/1/3/0/7/130776619/f861afabd9c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f284.bin
e8dbe61d89977c00b9debd574e0b0074ae19e41711432bcebd0b6b28f01f19e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF284 5692 bytes
font_01_sfnt_off000105cf.bin
3233e4e42e430af2976fb8d59ac94edea65d1d614c37f7a84628744b35a02ae6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105CF 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.