Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9a31c01e9d262e7…

MALICIOUS

PDF

111.4 KB Created: 2021-03-16 16:40:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b9a7c73c7cee67d6a849f1c2517ce4f SHA-1: 2e096f26fce7b756e7e6df85a1fe23075c526426 SHA-256: e9a31c01e9d262e70ca3e2764a2f42a49990be353c00b4e77ba101ffa3da73de
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs pointing to external websites, many of which are hosted on link farm services. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The presence of external links suggests the document's purpose is to redirect the user to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=3a+transformers+dark+of+the+moon+bumblebee
    • https://dojilosadokadog.weebly.com/uploads/1/3/4/8/134890500/zejatanufesabip.pdf
    • https://vazanopika.weebly.com/uploads/1/3/4/8/134896022/49cfec0c7d.pdf
    • https://cdn.sqhk.co/xobadata/mPtafQ2/legaj.pdf
    • http://misstourist.info/42664022310dn0wl.pdf
    • https://cdn.sqhk.co/natokaze/ehas1aW/fun_race_3d_unblocked.pdf
    • https://static.s123-cdn-static.com/uploads/4415767/normal_6006567edbef8.pdf
    • https://cdn.sqhk.co/verexoleki/ggiAgjy/nisopuxe.pdf
    • https://cdn.sqhk.co/tewokozogop/Ahds1Q0/sonic_the_hedgehog_coloring_pages_free_printables.pdf
    • https://cdn.sqhk.co/xigofidiw/gcFghdt/gurifimofofipefakudid.pdf
    • https://cdn-cms.f-static.net/uploads/4377717/normal_60402eaaf0747.pdf
    • https://duvigenusidila.weebly.com/uploads/1/3/4/7/134736387/8348443.pdf
    • http://gratoraama.space/vuterepepedoxoxefakh6.pdf
    • https://lojigimab.weebly.com/uploads/1/3/0/8/130814508/7118d8.pdf
    • https://static.s123-cdn-static.com/uploads/4387582/normal_5ffd7dcc53e8d.pdf
    • http://ziwavabewite.66ghz.com/doloju.pdf
    • http://keep-travel.com/16514789643y4rp.pdf
    • https://kogexabisuzim.weebly.com/uploads/1/3/4/3/134322867/jonebatugozejewuka.pdf
    • http://sait-ok.ru/whirlpool_dishwasher_not_draining_brand_newewv3y.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kuviwobabevi.epizy.com/92808598230.pdf
    • https://s3.amazonaws.com/dojonuta/windows_10_bluetooth_driver.pdf
    • https://s3.amazonaws.com/daniwodug/what_does_orange_light_on_my_apple_charger_mean.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cbc0.bin
87fc2e1575b8950cadf53d6642fb27fab8099b70a2c2489d47f016115aefb723		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBC0 47700 bytes
font_01_sfnt_off00015f27.bin
1c65293a253e0d8f319c41f168ca7a1a39f1a5b09557db59500165918865e8b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F27 5420 bytes
font_02_sfnt_off00017166.bin
e76c7f9371dc189bdfd8c10bbc4ea44229eac8aa9393e6a79a8ef2b1f999e44e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17166 11376 bytes
font_03_sfnt_off000196a9.bin
7e63eb3bed9c4ceaf47e86587cf77a789dba98dd2b4db382f0c7f052a0aeb8ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x196A9 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.