Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7edcf35e2b676ee…

MALICIOUS

PDF

103.0 KB Created: 2021-03-27 11:49:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58af6159672786d4daba22818855edba SHA-1: dc9a9ddf4711b99bf2f6f9b118c0ea797d3488ae SHA-256: e7edcf35e2b676eef1eea9cc6825ce59e061cd2377f8cdf26548afe639074abb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are dynamically generated or use suspicious domains, indicating a link farm or SEO spam tactic. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution via these links. No scripts were extracted, but the PDF structure itself is indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=onam+annum+innum+in+malayalam+pdf
    • https://xopigitit.weebly.com/uploads/1/3/4/3/134339451/31d7d1e.pdf
    • https://kegegizexuf.weebly.com/uploads/1/3/4/0/134042356/tamaboxukunigas.pdf
    • http://devubowoku.mypressonline.com/anexo_5_simples_nacional_2020.pdf
    • https://cdn.sqhk.co/fisoxinizo/if84ihJ/30919735442.pdf
    • https://tejukikefuxod.weebly.com/uploads/1/3/4/7/134703803/pemowuv_zobiduwatojofo_tosakuf.pdf
    • https://cdn.sqhk.co/bubuzibiv/Thfhjij/shellac_nails_near_me_open_sunday.pdf
    • https://cdn.sqhk.co/feketukadoz/jiu0Lii/48700596417.pdf
    • http://vuletotam.scienceontheweb.net/pewanemazupojesemon.pdf
    • http://ninuwekevap.scienceontheweb.net/medical_authorization_form_for_minor.pdf
    • http://hrushch.space/hymne_des_fraterniss_en_franaisnw9c2.pdf
    • https://jukudedavat.weebly.com/uploads/1/3/0/9/130969580/riwuvimaxofumi.pdf
    • http://lubevos.scienceontheweb.net/53836535095.pdf
    • http://relodifalixogo.scienceontheweb.net/63005597590.pdf
    • https://cdn.sqhk.co/lobinazema/gjggwgi/91230303447.pdf
    • http://labincom-med.ru/bear_snores_on_stem_activities2jj7f.pdf
    • https://nabivedoki.weebly.com/uploads/1/3/1/4/131407492/wenadopa.pdf
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f1ddcea9-c323-452c-a4d3-aaefec61e50a.filesusr.com/ugd/defd8a_4fddcde0b1b94f45b6878e0021c37e23.pdf?index=true
    • https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_de93ab88957e47bf8f1744e320691c07.pdf?index=true
    • https://s3.amazonaws.com/regufojalojaza/jexenapamobe.pdf
    • https://s3.amazonaws.com/rimepusox/50864135320.pdf
    • https://s3.amazonaws.com/pavujiniz/which_browser_is_safest_for_online_banking.pdf
    • https://b1b1ed1d-a631-407f-b8a0-2f609481a9c2.filesusr.com/ugd/3e5895_ffd884e7a69446b195240459e8e39ac3.pdf?index=true
    • https://s3.amazonaws.com/dinigugaxej/chief_information_technology_officer_responsibilities.pdf
    • https://84daacc9-7e90-4c5d-b1ed-526950900c49.filesusr.com/ugd/73f3b0_0ee91193b8474bebaea57d87db5dc968.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00010b27.bin
3931391cff6b6de6c1ea92e9c285a6c45cbb5933824f2e008a1f30fc5554e07e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10B27 33924 bytes
font_00_sfnt_off0000fa0a.bin
40d587125f4d340ab88397e98e6b891e33cf3768a178a1901b1e66d9c8feb405		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA0A 5040 bytes
font_02_sfnt_off0001679b.bin
1125b33ad160232218914366e483ee20f9135d9102aa4968e2d2276fc206ca05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1679B 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.