Malicious PDF — malware analysis report

Static analysis result for SHA-256 db9d1e54ac8b7313…

MALICIOUS

PDF

86.7 KB Created: 2021-03-25 16:45:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3241ed6cffcf449bb0fc7242ed488bd2 SHA-1: 70dc57dbcdb25e1f85fba73970905ec8c898b20c SHA-256: db9d1e54ac8b7313ebb8f7afa1c07066756181b59053f7cbe32b9175c7f15252
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for phishing or distributing further malware. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the presence of many external URIs suggests an attempt to redirect the user to malicious sites, likely for credential harvesting or malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=star+ocean+integrity+and+faithlessness+character+guide
    • https://bubosetew.weebly.com/uploads/1/3/4/5/134515161/6744064.pdf
    • https://cdn-cms.f-static.net/uploads/4379487/normal_603cb18367cb4.pdf
    • https://cdn-cms.f-static.net/uploads/4456116/normal_604b4797378aa.pdf
    • https://cdn.sqhk.co/tatogevi/iREEIa4/purple_glitter_wallpaper_for_walls.pdf
    • https://cdn-cms.f-static.net/uploads/4462986/normal_603c731e0325a.pdf
    • http://tapopapebesawu.getenjoyment.net/toro_lx420_manual.pdf
    • https://pazijovipa.weebly.com/uploads/1/3/4/3/134327002/35d1bedea95.pdf
    • https://cdn.sqhk.co/xenaporo/fhiGnji/dungeon_pixel_hero_mod_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4460677/normal_6016ec85c2c68.pdf
    • http://lizowaw.scienceontheweb.net/dunejapusorefuk.pdf
    • https://cdn-cms.f-static.net/uploads/4408184/normal_604f65d9c1290.pdf
    • https://busedulaxuxelo.weebly.com/uploads/1/3/1/3/131379622/acb680869222ed3.pdf
    • https://safamitiwifiro.weebly.com/uploads/1/3/0/7/130739579/3b10421bb353dda.pdf
    • http://pusatokolerax.mywebcommunity.org/61328468998.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/gekixadonuru/zobivab.pdf
    • https://s3.amazonaws.com/jenisozazewubo/ezreal_guide_season_9.pdf
    • http://faxiruvud.myartsonline.com/12912619739.pdf
    • https://s3.amazonaws.com/tidigudetefumof/silent_letters_worksheets_2nd_grade.pdf
    • https://s3.amazonaws.com/sinadi/radha_krishna_bhajans_free_mp4.pdf
    • https://s3.amazonaws.com/nijosinizo/52696806794.pdf
    • https://s3.amazonaws.com/zaxuledo/zavipobamivagafaziruw.pdf
    • http://pulitisagot.atwebpages.com/best_light_reader_for_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f200.bin
13796f338b52fc9a86b850e4d200e08f42d51a0e0a9e5225b5957afaceb51e9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF200 5940 bytes
font_01_sfnt_off00010670.bin
3ad8cd7eca230c4efa0eb4c0082baed1c872743f992673e6e79386bb544f10c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10670 5368 bytes
font_02_sfnt_off0001189c.bin
3b4972d236bad052cba394a3671e5f2776cf6ba94cc1967f3af1fa524de3e076		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1189C 11320 bytes
font_03_sfnt_off00013e58.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E58 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.