Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1d1017bc6d9d26b…

MALICIOUS

PDF

73.0 KB Created: 2021-03-18 16:17:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50698bd1aab55992ce1767dd7e1b9108 SHA-1: 583e2658f0638a2b6dec40c39c66146f7828e157 SHA-256: e1d1017bc6d9d26b0701b0523327f09b4b75d382324e1a87e3a8b6d9cbf75c8b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings reveal it contains a mass external PDF link farm, with URLs such as http://totalcreditreport.info/15561593167a12fn.pdf, suggesting it's used for SEO spam or phishing. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, hinting at its generation. No scripts were extracted, but the presence of numerous external links points towards a phishing or spamming attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/123?utm_term=define+booklet+report
    • http://totalcreditreport.info/15561593167a12fn.pdf
    • https://cdn.sqhk.co/julubesaf/cCCiiau/dofasifamokevixelusa.pdf
    • https://tonawonigavima.weebly.com/uploads/1/3/5/3/135345065/nogevazita.pdf
    • https://cdn.sqhk.co/zofonabiz/iihjnt7/fuxubunorasoxinaxem.pdf
    • http://ifeelgood.club/tibakoeoduj.pdf
    • https://cdn.sqhk.co/sogunixe/idDrRhf/in_car_parking_games_prado_new_driving_games.pdf
    • https://cdn.sqhk.co/pulununese/TgjlWjc/fozuv.pdf
    • https://cdn.sqhk.co/ributexovek/frxhghd/48695416943.pdf
    • https://cdn.sqhk.co/tabewinudeka/Shhtje3/wifi_file_transfer_android_github.pdf
    • https://wefigoga.weebly.com/uploads/1/3/4/0/134041661/5943199.pdf
    • https://cdn.sqhk.co/vimewiki/hyq9EbC/colony_wars_playstation_review.pdf
    • https://wajotirege.weebly.com/uploads/1/3/5/3/135306859/rumilaxo.pdf
    • https://cdn.sqhk.co/wojipezusax/jx9l6yO/airport_prg_mod_apk_unlimited.pdf
    • http://amsidisi.xyz/wepujanojiwamuza3al4r.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cde82890-809b-4e75-bd21-d00d5b83bb38/zabejokoja.pdf
    • https://uploads.strikinglycdn.com/files/b0013c5a-eaa2-403d-b351-bc71c0840469/32097602165.pdf
    • https://s3.amazonaws.com/vuraradaso/saketezutaweginetowezapu.pdf
    • https://uploads.strikinglycdn.com/files/30291179-e302-4233-82a9-d7664e5ff643/que_es_un_sistema_del_cuerpo_humano_para_nios.pdf
    • https://uploads.strikinglycdn.com/files/ba0b916e-1b58-4800-82f9-a11d02ce3c51/google_search_console_website_anmelden.pdf
    • https://s3.amazonaws.com/falufusu/nelisezezikul.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e252.bin
bf50b89706c5c50dceb6df2e58d388469f83197f44907de845b698a7f455ecc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE252 4712 bytes
font_01_sfnt_off0000f26d.bin
04ecc007c73e909eefc892f443795ff25a2a2ccd9465273765b33039b02b9500		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF26D 10728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.