Malicious PDF — malware analysis report

Static analysis result for SHA-256 e090567e88e581b6…

MALICIOUS

PDF

79.8 KB Created: 2021-03-19 16:40:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69b1f54c890a5f0b9ea497422330edaa SHA-1: 4fbf7744825308bb7c074533bacbe4e854ea085c SHA-256: e090567e88e581b6ffabd0d9f89ca7712d231d81023bd305985b8b89d2febe3a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The document body, though heavily obfuscated, appears to contain product-related text, suggesting a lure. The presence of numerous external links, including a link farm detected by PDF_SEO_LINK_FARM, points towards a phishing or malware distribution campaign. The primary attack vector is likely Spearphishing Attachment, with the embedded links serving as the mechanism to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=camp+chef+pellet+grill+patio+cover+-+36
    • https://cdn.sqhk.co/vazoguzo/IhhDeyL/my_boo_apple_music.pdf
    • https://cdn.sqhk.co/fumamimed/rOhbygi/direct_line_driving_app.pdf
    • http://deutschebank-meine.com/nespresso_capsules_vertuoline_melozio_medium_roast_coffeev1vaf.pdf
    • http://mihetos.xyz/twilight_saga_eclipse_full_movie_mp4_free_downloadiia8x.pdf
    • https://cdn.sqhk.co/tewokozogop/gdlrigm/giborosufovanexivasel.pdf
    • http://wtia.space/sigasuricrt3q.pdf
    • http://kupiokno.su/datawamegimigopipeoo0fe.pdf
    • http://reduslim-ufficiale.website/zee_tv_serial_punar_vivah_songs_down2b7wn.pdf
    • http://fruct.space/what_is_daphnia_heart_ratezrk3y.pdf
    • http://adv-workshop.site/695757059428u87l.pdf
    • https://cdn.sqhk.co/rokajoten/JdghjhQ/rts_programska_sema_utorak.pdf
    • https://cdn.sqhk.co/modonasuje/vNvgcgf/niteb.pdf
    • http://zabavnyi-slon.ru/can_you_distill_your_own_waterhtx7c.pdf
    • http://gvidilon.ru/zumepedikafafdhxxw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/mesixadelomomo/gexuxesinokepepi.pdf
    • https://e60c805d-b9e1-47fc-b045-983511e9ac1f.filesusr.com/ugd/116bb2_b41064cda4ae43dc8ac6e43aee16b6e7.pdf?index=true
    • https://s3.amazonaws.com/duzexefemosaxe/japeke.pdf
    • https://s3.amazonaws.com/gulapore/83897106614.pdf
    • https://9dd02728-8b0e-4c16-8a5b-31b14a6ec887.filesusr.com/ugd/d8c3ed_d51f91ed4b46442086d31b142453d8b1.pdf?index=true
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_601bf3792fdd4788836d12cfe3a2b3a6.pdf?index=true
    • https://68f06c25-eb64-4e0a-94e3-a0e33e610147.filesusr.com/ugd/463ace_f5e527ca96fc4335a62324fdc1e5d16f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8d4.bin
b905cc2c0789f4105812673eaec0949d0ffe81923ab1fe362b121ffe17aef6b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8D4 5368 bytes
font_01_sfnt_off0000fb31.bin
faf49ae54eba0419a9409383d785966298fc8446605450d54f76c363f9216a7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB31 11352 bytes
font_02_sfnt_off000121e3.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121E3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.