Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb35e6cf641195c…

MALICIOUS

PDF

81.4 KB Created: 2021-03-23 09:04:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c18f44902962b34896706119aa4c41f SHA-1: 7999a398203109b7ec209e6e20266541d2931b1c SHA-256: deb35e6cf641195cb61eb91be34e1bfb11eb2da1ee5e33953b858c91c1a03776
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple external links, with one specifically disguised as a download for 'minecraft pe 0.15 6 apk'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The presence of numerous external links suggests an attempt to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/wix?keyword=download+minecraft+pe+0.15+6+apk
    • https://cdn.sqhk.co/zejizoguzut/giWlFen/business_games_for_mba_students.pdf
    • https://cdn.sqhk.co/rarirawibowo/hijekXu/nintendo_switch_console_only_uk.pdf
    • https://cdn.sqhk.co/zudilubal/ieheueP/pufizarulababakomegil.pdf
    • https://funoridarudaru.weebly.com/uploads/1/3/5/3/135304061/rokul.pdf
    • https://cdn.sqhk.co/jutusaxibu/jfhf5hb/kotidinevanorenulexu.pdf
    • https://cdn.sqhk.co/towevefizub/hdLicib/black_christmas_2006_movie_480p_download.pdf
    • https://kufojomarolov.weebly.com/uploads/1/3/4/4/134401526/5720756.pdf
    • https://cdn.sqhk.co/libibamudo/geShdii/ireland_eyewitness_travel_guides.pdf
    • https://cdn.sqhk.co/karadirimose/LjdRhaP/393151715.pdf
    • https://cdn.sqhk.co/zipirevofu/1Z1OH9K/78293370443.pdf
    • https://cdn.sqhk.co/jemajujo/iigie5O/decoracion_de_halloween_para_salones.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/gawabog/how_to_study_for_the_ap_human_geography_exam.pdf
    • https://uploads.strikinglycdn.com/files/4b81d17d-7cc7-4348-81ea-b7efdeb8a728/ruziluwemunezigexiw.pdf
    • https://uploads.strikinglycdn.com/files/4f24d364-9f58-47cd-8428-a0f5f8fae3ab/839372437.pdf
    • https://uploads.strikinglycdn.com/files/36f340e9-1906-479e-96c8-c5ebfcdb0d00/98288790833.pdf
    • https://36fc1fe3-b646-4cc1-b6e9-de51469aea27.filesusr.com/ugd/3eb4bd_eeaf5efa672c43ca9cfc70c65d227fc9.pdf?index=true
    • https://s3.amazonaws.com/fifuto/abu_ambassadeur_5000_line_capacity.pdf
    • https://bf5f3f24-cfb9-4aec-9f01-83e6d863dc5b.filesusr.com/ugd/1f4526_f62256f7bd5543ae9980e123b4f8cc9c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/58a16afd-b157-4e69-af69-a529d25c8a08/how_would_you_describe_a_jungle.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e53e.bin
4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE53E 2960 bytes
font_01_sfnt_off0000efae.bin
e7c2ebd492c97496dca7facc2b8343307d1a15e80aadaa69e288ef5545db6f1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFAE 5568 bytes
font_02_sfnt_off0001029c.bin
3458e7f8e5c7e42632642f97f2bac0847edf1048abbcda5bb0b9599baa7501fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1029C 10780 bytes
font_03_sfnt_off00012795.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12795 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.