Malicious PDF — malware analysis report

Static analysis result for SHA-256 e88795ebf5bfe07a…

MALICIOUS

PDF

82.4 KB Created: 2021-03-30 22:12:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e574dfcf5f255e13270ed686214871a0 SHA-1: d122929af21c684f36048d92aa41acb155c772ad SHA-256: e88795ebf5bfe07a71ea86447dabc350e9ac8f13f27149fbbf38fb0d1ea5b9b4
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ML classification and ClamAV, indicating malicious intent. The presence of numerous external links, particularly those associated with SEO link farms and callback phishing lures, suggests a campaign to redirect users to malicious sites or engage them in fraudulent schemes. The document body, though heavily obfuscated, contains keywords related to a 'Directv iowa city channel guide', likely serving as a lure to encourage interaction with the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=directv+iowa+city+channel+guide
    • https://cdn-cms.f-static.net/uploads/4481819/normal_602a514c74054.pdf
    • http://hotloveme.online/depression_testtabzf.pdf
    • https://wegekasi.weebly.com/uploads/1/3/4/6/134678838/vawidarulo-vujewazavab-danafig.pdf
    • https://cdn-cms.f-static.net/uploads/4465136/normal_601337423e857.pdf
    • http://particulier-societegenerale.xyz/xiworijefora1o1i7.pdf
    • https://static.s123-cdn-static.com/uploads/4455207/normal_600299e63c9d4.pdf
    • https://zagezawuguzuvu.weebly.com/uploads/1/3/4/7/134731207/5458295.pdf
    • https://berarenojinoz.weebly.com/uploads/1/3/4/7/134737003/dd19fd4.pdf
    • https://static.s123-cdn-static.com/uploads/4413563/normal_5ff5a1b5f0c44.pdf
    • http://getallcreditscores.info/gosemefaresekaxusafig4h048.pdf
    • https://static.s123-cdn-static.com/uploads/4465704/normal_5fe00f6fa4ec5.pdf
    • http://raisinshub.club/3022985399371gjq.pdf
    • http://mysteps.online/97765485654bcbb6.pdf
    • https://saniluje.weebly.com/uploads/1/3/4/3/134323688/9030295dce.pdf
    • http://all-system7.xyz/57927665798f3ep1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/liwafo/metroid_prime_4_release_date_2022.pdf
    • https://s3.amazonaws.com/xesigeze/tomorrow_weather_report_in_kolkata.pdf
    • https://05b56818-8b0b-4484-a411-4f1234233f1c.filesusr.com/ugd/e49726_83739d139d28485980726dc0a412dcfa.pdf?index=true
    • https://8dfd47f4-e591-4377-92a3-bdbf91d41e5a.filesusr.com/ugd/a58b01_7dd808b8f3be43ef80ecabd4b4f79e52.pdf?index=true
    • https://f904ef53-caa1-4f0f-8a97-c50675c03ece.filesusr.com/ugd/2f8cea_8262fab367c54d03a6f3cb6a7a1b3d40.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebf6.bin
b77c6867489c9792b7ecf941d0b59d61392638f9412087f0b187a1da2bcd2e39		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF6 5276 bytes
font_01_sfnt_off0000fe04.bin
f59afce115d09f91257df24ea96cdcf90b18ab28a26fd8e667ae0001eceab51c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE04 11836 bytes
font_02_sfnt_off00012697.bin
281214d1119d96f3a8ebe36682ff3c94e77595198e0ed7d049f81fad77dcdf11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12697 16240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.