Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7069dfd2b8f6195…

MALICIOUS

PDF

73.2 KB Created: 2021-06-02 23:12:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 8f22517880d8c52c71364d9a87fa1556 SHA-1: e7081cbc41c276a86bc0220632df3b267dc1dbb7 SHA-256: e7069dfd2b8f6195aa919cba0074e1d9dda6bb929b3b68d385a899fe2c92bf43
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a link farm with numerous external URLs, including one pointing to a site offering software keygens, suggesting a lure for malware distribution or phishing. The heuristic 'SE_SECURITY_BYPASS' also indicates the document may instruct users to disable security software, further supporting a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/pbw?utm_term=keygen+euro+truck+simulator+2+%2528activation+keys%2529+free+download PDF link annotation
    • https://tulapubilogu.weebly.com/uploads/1/3/4/8/134881906/6722845.pdfIn PDF document text
    • https://nizuwutino.weebly.com/uploads/1/3/1/4/131482859/fowubod.pdfIn PDF document text
    • https://ditomivowulute.weebly.com/uploads/1/3/4/6/134679561/76d672.pdfIn PDF document text
    • https://dowusezawidi.weebly.com/uploads/1/3/3/9/133997386/103393.pdfIn PDF document text
    • https://pixogupegitof.weebly.com/uploads/1/3/4/5/134592450/7cf8c833335e1b.pdfIn PDF document text
    • https://kazefapakoj.weebly.com/uploads/1/3/4/6/134644741/b2920ba9d.pdfIn PDF document text
    • https://gezixipa.weebly.com/uploads/1/3/4/5/134503119/zezuvebilafiseziji.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/725aa38f-d075-419c-b342-63943aba3efa/naxasuwaxonox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bb85cc1-01d7-49ed-8a14-b93274db1a97/harbor_breeze_remote_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4850dcaa-f18d-4916-bd34-1bf87741e2dc/77349298660.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9066299-a817-4647-b087-194775f7e559/chicco_bravo_trio_travel_system_car_seat_weight.pdfIn PDF document text
    • http://jopamedet.pbworks.com/w/file/fetch/144450366/antiphonale_romanum_2009.pdfIn PDF document text
    • http://jajisaparev.pbworks.com/w/file/fetch/144412299/75533067768.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de06f572-906c-4208-ba33-7f38ba0e4ae4/padi_rescue_diver_knowledge_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b2ce87f-47e9-40a2-a14b-69ec8736450e/will_there_be_another_dark_tower_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47e5013c-9a2f-44fb-936d-d794ba86793b/coleman_powermate_5500_watt_generator.pdfIn PDF document text
    • http://ridelox.pbworks.com/f/how_much_is_the_deductible_for_att_insurance.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01290b62-377f-4eaa-9f45-d8e9e9e7394b/what_is_modal_verb_example.pdfIn PDF document text
    • http://kefimazusob.pbworks.com/w/file/fetch/144424794/44878405133.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7ae5532-5785-45cd-bb7b-769f1b14942a/how_tight_should_a_deck_belt_be.pdfIn PDF document text
    • http://rugewenuzed.pbworks.com/w/file/fetch/144422355/how_to_get_pets_in_giant_simulator_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5946a457-22ab-463e-90c6-d7980d7a7334/universal_remote_control_codes_for_digital_stream_converter_box.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec8bb1a8-95ca-4792-bf97-1754019aa0d5/68302810398.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddd1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDDD1 5916 bytes
SHA-256: f47d003c7b54caad17257743561df5b735cb01b133b3523b690c3faca74c658c
font_01_sfnt_off0000f21b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF21B 10924 bytes
SHA-256: def6a46c7b87d15c17f432f7956875fd52ed81f22095bd0f32abb56552269cfe

Open this report in the interactive analyzer, or submit your own file for analysis.