Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbc278d492ee8636…

MALICIOUS

PDF

79.2 KB Created: 2021-05-31 20:58:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a49bbff679a2bdac2f2b6de1ab3a3055 SHA-1: a18c4368914e2645cb236e6e11ac0a776e3c6022 SHA-256: dbc278d492ee86360c703fdbf1500cd4f3be26e2868b1202eb306ccf37a4aacd
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which point to SEO spam pages designed to host malicious files. The presence of a 'download button' heuristic and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest a phishing or malware distribution attempt. The document body, though heavily corrupted, contains a string related to downloading an 'apk', indicating a lure for potentially unwanted or malicious mobile applications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/pbw?utm_term=download+free+fire+mod+diamante+infinito+apk
    • https://ziresaro.weebly.com/uploads/1/3/4/5/134509830/kilafikifix.pdf
    • https://nopixivej.weebly.com/uploads/1/3/4/8/134887628/juwitaboruvok_vagujaziwate.pdf
    • https://rajopolaxobi.weebly.com/uploads/1/3/1/4/131406270/4ed8974.pdf
    • https://nadunala.weebly.com/uploads/1/3/4/8/134877180/fuzurunob-kavavot-zunutuzejuxa-gexikowojek.pdf
    • https://dakuxemi.weebly.com/uploads/1/3/4/8/134883968/felezebopagegu_wiviti_siwasozoneku.pdf
    • https://bujezabuzi.weebly.com/uploads/1/3/4/3/134310034/bedugo.pdf
    • https://sumomaduge.weebly.com/uploads/1/3/4/8/134884200/1591563.pdf
    • https://lorotorerusut.weebly.com/uploads/1/3/1/4/131452969/493ddfb406d33.pdf
    • https://joxisewegiwazev.weebly.com/uploads/1/3/4/6/134669132/kurewobe_vovabim_fanilezoxaluwin.pdf
    • https://rezosegog.weebly.com/uploads/1/3/2/8/132814067/3784097.pdf
    • https://kukibujez.weebly.com/uploads/1/3/1/6/131637652/1672427.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/60df4325-599e-4ad9-bf74-fe2892e6a3b4/swing_trading_strategies_india.pdf
    • https://uploads.strikinglycdn.com/files/c4d319d8-2053-444a-a738-bab4d2c8cdad/power_electronics_and_drives_mcq.pdf
    • https://uploads.strikinglycdn.com/files/ceab0192-cd93-4acb-bcac-98bce46cc23d/la_grange_tab.pdf
    • https://uploads.strikinglycdn.com/files/03298564-3ce6-486a-86dc-0236a168b7c4/150_metros_en_centimetros_cuanto_es.pdf
    • https://uploads.strikinglycdn.com/files/7934954f-7fab-4ca7-a2b8-0bbf4b2b3e7c/zubifowodesik.pdf
    • https://uploads.strikinglycdn.com/files/5662012d-76c0-433e-874d-ba09add72afe/how_to_replace_dacor_oven_temperature_sensor.pdf
    • https://uploads.strikinglycdn.com/files/7ce9ed55-ff4d-4ee8-8181-53e41579cfaa/37805571610.pdf
    • https://uploads.strikinglycdn.com/files/1043a381-2aea-4507-b3a6-2700fb85e383/17316367035.pdf
    • https://uploads.strikinglycdn.com/files/92cb975d-c177-4187-b08d-420313da0b47/juvorizebozunim.pdf
    • https://uploads.strikinglycdn.com/files/ae73414a-dd4b-4f2f-8a7a-6a58f67a73e8/xudafumisuvifajojijolot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e595.bin
d2c0481015d8833a7cadea4b47348099abeecd5272204c5b6a384028a673e880		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE595 4952 bytes
font_01_sfnt_off0000f668.bin
ff3ae7505d11379ad450dfea045ab55c06dbb7cc8a1c15e7eb14aa9c5fb70793		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF668 13536 bytes
font_02_sfnt_off00012121.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12121 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.