Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7c411e0ae3bf728…

MALICIOUS

PDF

82.5 KB Created: 2021-04-03 20:31:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b206b202cb0b2e6e5c05dd8dc7cbb1db SHA-1: 72162455770d4400aaad988a9368a068905d37e5 SHA-256: e7c411e0ae3bf7286af954b7a95d29f6473f4845c7291f00b5930e353f404812
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics, including a critical alert for linking to known malicious redirector infrastructure. The document contains a large number of embedded URLs, suggesting a link farm or phishing attempt. The ML classifier also strongly indicated maliciousness, and ClamAV detected it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=autumn+leaves+piano+pdf+jazz
    • https://cdn.sqhk.co/patagarinixa/hjDgfdV/17931109950.pdf
    • https://cdn.sqhk.co/vemunaxudug/Vhedtr2/jejufazu.pdf
    • https://cdn.sqhk.co/kowaziwaso/iehgN5i/nfl_week_12_schedule_flex.pdf
    • https://cdn.sqhk.co/jidelugob/dhfiiih/bullet_rush_game_online.pdf
    • https://cdn.sqhk.co/romekeka/0vibTgd/6952183650.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7c96f612-777b-4c87-b253-0d26ecf02291/19096695506.pdf
    • https://uploads.strikinglycdn.com/files/afe8f023-185f-46e4-a2cc-16ed2e757510/reducing_fractions_worksheet_4th_grade.pdf
    • https://uploads.strikinglycdn.com/files/59010273-4d62-4eb2-9b5a-3c874d02aeef/what_is_the_conflict_of_the_story_on_the_sidewalk_bleeding.pdf
    • https://3064a0a7-8496-4b95-be1e-56094aee372f.filesusr.com/ugd/0cf4b9_7db3dcf045a04d1d9e962e3f35bc98e0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d1c810b-b564-46c8-96e1-ad98f6236069/guzetasomarenurudaboposi.pdf
    • https://d8d078ea-10ec-4787-8e21-ef6e32b87a24.filesusr.com/ugd/8f6098_c59786d4900048308d81289568442969.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1d8cd755-03e7-4721-ac6e-3f13856ef818/how_to_use_switch_pro_controller_on_dolphin.pdf
    • https://9a4203bb-6ff2-4ef1-9c63-3f113f84a884.filesusr.com/ugd/ea9bdf_8848894f747b4878b491c0132993d8c7.pdf?index=true
    • https://76b44699-1094-4fd8-8d4a-70b7be8159c3.filesusr.com/ugd/c450b2_3a9c48deef6e4b3f9a6e64466b92c58e.pdf?index=true
    • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_47faed9453584eafa4623d66d73e8d72.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6564f42d-7d40-408a-9c41-4350688accb2/esl_list_of_most_common_phrasal_verbs.pdf
    • https://uploads.strikinglycdn.com/files/95e91a30-1c61-42d5-beca-edaf214fa5c3/violin_finger_exercises_for_beginners.pdf
    • https://625f08e2-3d8e-45b5-8e8c-b95d001c5c7c.filesusr.com/ugd/d94ae5_74b4b9758708445c9447f64889d2645a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/74888651-deac-4bb4-b51d-0b63c04c88d2/cunninghams_encyclopedia_of_magical_herbs_amazon.pdf
    • https://uploads.strikinglycdn.com/files/e111ab8e-f396-4e08-814b-5a3758844cea/chicco_keyfit_35_infant_car_seat_-_iris.pdf
    • https://uploads.strikinglycdn.com/files/d563bd06-7ecc-4532-87c0-8147bd6fef9f/96934351753.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001054d.bin
67c990ea72c89f6be2b82d5efdbd203e80ff1b6908770d6b94f16d51521fb0bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1054D 5268 bytes
font_01_sfnt_off00011741.bin
79139120851c6943a771a3125fab5236fb2f062c787f36eca2456c3403b105e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11741 10980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.