Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcb744c8cd4f9807…

MALICIOUS

PDF

68.8 KB Created: 2021-04-03 08:47:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05c7294bdb16096ebb9d375b176d0091 SHA-1: af2cd5f7baa4d35cae9d9d00c94fdcab5c0bab28 SHA-256: dcb744c8cd4f98077d2a637d57d985f7eb814e37c25edc0540093c3fc6828574
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a tactic to drive traffic to potentially malicious sites. The ClamAV detection and ML classifier also indicate malicious intent, specifically flagging it as 'Pdf.Phishing.Trojan'. While no scripts were directly extracted, the structure and numerous external URLs point towards a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=mustang+floor+mats+2014
    • https://cdn.sqhk.co/zudilubal/ge2hejd/cnc_3040_limit_switch_wiring.pdf
    • https://zeruxitewisav.weebly.com/uploads/1/3/1/8/131856065/fagapokokasege.pdf
    • http://load-bcp.com/gitufonovomenilax2gtc.pdf
    • https://cdn.sqhk.co/gowamojon/hgtTqjc/eastern_gorillas_lifespan.pdf
    • https://wevuretadoza.weebly.com/uploads/1/3/5/3/135320639/314863.pdf
    • http://chaptejvxz.fun/delonghis_safeheat_ceramic_heater5kk8j.pdf
    • https://cdn.sqhk.co/lafuwexale/hejeqEW/pesopevazaxajafetifu.pdf
    • http://lnstagramlivesupportcenter.com/vapajegoridiwopivixu8d16g.pdf
    • https://vamexerop.weebly.com/uploads/1/3/6/0/136085595/151a501a35f7ea.pdf
    • http://chunyoo.com/13438639987tlhz3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2386e270-bd20-42c1-b3e5-1ba7eaa1d68d.filesusr.com/ugd/b4f0c6_08f24d76c44143438b16a37eb89c4424.pdf?index=true
    • https://564fd4a8-0e6d-4f97-813a-a14a70c45316.filesusr.com/ugd/f90d28_c010f68ec3b74b46a52aa98dbfce2618.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eee09adc-0777-4056-826a-b7524fbcf71a/attack_on_titan_movie_live_action_watch.pdf
    • https://297de083-771a-4730-a3b8-a2afe8c7d209.filesusr.com/ugd/47424f_ea4b8a361c104b849df9edff3b95bcb6.pdf?index=true
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_cfd97f4cd1dd44b88a80a4c678fe631b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c7d42d36-884e-4e34-8252-bf7f44575861/kitchenaid_kcm1202ob_12-cup_programmable_coffee_maker_manual.pdf
    • https://5d94d51b-2702-4b64-8df3-eadd022f3edc.filesusr.com/ugd/2ddd39_bb288659f62b4df492a3375d5a02178d.pdf?index=true
    • http://kirojera.rf.gd/92691103787.pdf
    • https://uploads.strikinglycdn.com/files/0b12fa0a-27c1-4332-a153-498e3343217f/heat_and_glo_fireplace_turns_on_by_itself.pdf
    • http://rovuwuruw.epizy.com/68529827910.pdf
    • https://uploads.strikinglycdn.com/files/d66502b9-e9fa-4903-a566-6e94ad60e507/5456629964.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cead.bin
af80ca6dac142ce0a1fcf5f72b5b544f29b1eb0c6f7fda446fc78ddb3163c2d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCEAD 5504 bytes
font_01_sfnt_off0000e166.bin
4cc2f40eb7db0b1ffab4ca05f9ce51a2179c7c449aba0b125f9f8a2c865266a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE166 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.