Malicious PDF — malware analysis report

Static analysis result for SHA-256 edeab2c60f248e0d…

MALICIOUS

PDF

90.1 KB Created: 2021-02-14 09:19:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc4489d4c9f3143628f0c55fbfd44a0d SHA-1: 74ba4c933049f336342ff2856c71c883fe7eb7e1 SHA-256: edeab2c60f248e0d80fc047c50237308899077349e3944f165860e65c7187892
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a phishing or malware distribution vector, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=blade+and+soul+blade+dancer+guide
    • https://cdn.sqhk.co/pimidima/8ifhbii/car_driving_experience_days_scotland.pdf
    • http://soinjaga.ru/55804726144x1bl0.pdf
    • https://sebumeganajili.weebly.com/uploads/1/3/0/8/130874272/9276576.pdf
    • http://bcipreactivaperu.com/cayenne_hybrid_2017_manualx298d.pdf
    • https://rovepegolotiru.weebly.com/uploads/1/3/4/3/134319415/54b08.pdf
    • https://cdn.sqhk.co/goganededem/tgiicXi/jigibikozubuzodenuti.pdf
    • https://cdn.sqhk.co/zubuwebofe/fC74ifF/new_mods_for_minecraft_on_xbox_360.pdf
    • https://cdn.sqhk.co/torujazelome/ahaKidE/37638549848.pdf
    • https://cdn.sqhk.co/leporolino/ihcbift/sumedeluful.pdf
    • https://cdn.sqhk.co/vilomikov/dH8U9hj/pixel_racer_mod_ios.pdf
    • https://cdn.sqhk.co/kazamepa/dgctgjw/best_wilderness_survival_shows.pdf
    • https://cdn.sqhk.co/zidezofa/pmifjaC/open_laptop_image.pdf
    • http://hookup681.site/lagisafotixewevinuzoopjp3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/getizar/unesco_logo_guidelines.pdf
    • https://s3.amazonaws.com/davubewu/sf_chronicle_voting_guide.pdf
    • http://tupusivamiguta.rf.gd/glencoe_algebra_1_common_core_textbook_answers.pdf
    • https://s3.amazonaws.com/nigimul/christmas_song_easy_piano_sheet.pdf
    • http://pupekafujobuda.rf.gd/99571898814.pdf
    • https://s3.amazonaws.com/wuvepilamamuse/bengali_movies_kolkata_free.pdf
    • http://bogazukutij.rf.gd/esc_dyslipidemia_guidelines_2016.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8e8.bin
4c8d30c019078cd048095861246f1a9d944435cb8ecfdc0bb046d90b5cd5ef3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8E8 9468 bytes
font_01_sfnt_off0001172e.bin
db044c21396e4a4f52347069d0bed4401789967aa7df8c94fd00dffd06afe038		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1172E 5100 bytes
font_02_sfnt_off0001287d.bin
7ee039ef13f110025e38a8a1e3f1bfd3af1937200664bfacbc843eb08478786c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1287D 10404 bytes
font_03_sfnt_off00014c1d.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C1D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.