Malicious PDF — malware analysis report

Static analysis result for SHA-256 df69d6645e9927cb…

MALICIOUS

PDF

72.4 KB Created: 2021-04-20 20:52:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1cee3ca70ae05e1d3e3de31fccd41ab4 SHA-1: eb50e7112b28901dbece2a5426a8ed736db2019c SHA-256: df69d6645e9927cb99ff682d520c722948232a8973c81d6f7b9e6232949f11b0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and a phishing trojan. It contains a large number of external links, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate a strong likelihood of directing users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=vtech+cordless+digital+answering+system+cs6124
    • https://cdn-cms.f-static.net/uploads/4454965/normal_606d23d4e6813.pdf
    • http://patedeziw.mypressonline.com/kilesazixiviforivizus.pdf
    • https://cdn-cms.f-static.net/uploads/4477638/normal_604da939686e3.pdf
    • https://cdn-cms.f-static.net/uploads/4378856/normal_6015ee898e2df.pdf
    • http://muzibatixabu.mypressonline.com/audacity_girl_meaning_in_hindi.pdf
    • https://cdn-cms.f-static.net/uploads/4445742/normal_605d5ef876f3a.pdf
    • https://cdn-cms.f-static.net/uploads/4379844/normal_60540a2d50de0.pdf
    • https://cdn-cms.f-static.net/uploads/4463812/normal_604acbd492be5.pdf
    • https://static.s123-cdn-static.com/uploads/4501042/normal_5fe2036c2ce59.pdf
    • https://cdn-cms.f-static.net/uploads/4483071/normal_6015b6ebac7f5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://29aa9d28-cc9d-45fc-8d86-3718b5881c84.filesusr.com/ugd/74c34a_40288858b463458e8c6e82edca1f29b8.pdf?index=true
    • https://84d51d8d-5932-465a-b044-5d36dace581c.filesusr.com/ugd/98e2de_9dcca4fe12384e0d8a2b5eea5d7ef642.pdf?index=true
    • https://s3.amazonaws.com/vososasoxumete/zebas.pdf
    • https://29159626-56e2-4eb2-a8c1-eb081f451e44.filesusr.com/ugd/a58502_7ea45974e8eb4b5a9a5b6a3eb0dff0f4.pdf?index=true
    • https://2a403a33-5f6e-4534-96f9-742aa7325afc.filesusr.com/ugd/d2da83_67cb544aa6074f66a0758d0187f31ba3.pdf?index=true
    • http://sokekakeloji.onlinewebshop.net/bangalore_cdp_map.pdf
    • https://d04c2b29-3777-4fe6-aaa9-ab96f87c3324.filesusr.com/ugd/43eb95_fe0379c4a1844742873e5b9938ca2581.pdf?index=true
    • https://49550882-97ce-44db-a38b-6e383bb81149.filesusr.com/ugd/062c90_b06df8538f9643abb8577409e8fdd358.pdf?index=true
    • https://f459ab6e-ac57-43ce-b83a-1524846427e4.filesusr.com/ugd/938c70_1b4c28314009461799b6fe11c7036af0.pdf?index=true
    • https://9eb5ee95-128e-4115-bcd6-d8db8525ce49.filesusr.com/ugd/9904c2_7dc75c9028fe4fe6a21204660d50248d.pdf?index=true
    • https://s3.amazonaws.com/zubata/landlord_final_walk_through_checklist.pdf
    • https://s3.amazonaws.com/saziwijaxodav/what_is_a_critical_appraisal_table.pdf
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_1a1c5bd4f971436c80a1aa66100cc52f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc5b.bin
972807d0ede6a825f7dde3f0ea71a94b67be49c1a536a57e7f3ec0820756446b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC5B 5724 bytes
font_01_sfnt_off0000dfcd.bin
f8036c5e5e6fc64dee693588a32aadbbd2be5f43f2965a3eb11db2f2942d31c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFCD 10600 bytes
font_02_sfnt_off000103dc.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103DC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.