Malicious PDF — malware analysis report

Static analysis result for SHA-256 eebb6452a3b13403…

MALICIOUS

PDF

80.3 KB Created: 2021-03-14 11:02:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95639e1f78112ea26d7d630813a996be SHA-1: bb05079cf5d9616424b4044f31fce0bc82da3467 SHA-256: eebb6452a3b13403852dcb6601632d2625edb284b2622ee4b497cb163f69b59b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing lures. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and extensive external URLs suggest it's designed to redirect users to potentially malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=rationalize+the+denominator+worksheet+pdf
    • https://ragadavifomo.weebly.com/uploads/1/3/5/3/135306528/4084ff.pdf
    • http://stav-games.ru/xutidowuzuledawusipus3kwee.pdf
    • https://cdn.sqhk.co/ketixudolu/hajihhg/train_your_brain_60_days.pdf
    • https://mozesejute.weebly.com/uploads/1/3/1/3/131380505/robaroje.pdf
    • https://kiwakamumosa.weebly.com/uploads/1/3/5/9/135963193/43f62c8.pdf
    • http://pagebake.com/zombs_royale_unlimited_gems_apkatriz.pdf
    • http://foxiduwanati.mygamesonline.org/71077201583.pdf
    • https://cdn.sqhk.co/rifebonapesi/hhgcfz9/3ds_max_composite_map.pdf
    • https://genunilime.weebly.com/uploads/1/3/4/3/134344847/rimolukasikifug.pdf
    • http://hocostyle.ru/wilajijireti986lo.pdf
    • https://falopizesolirod.weebly.com/uploads/1/3/1/3/131379111/torijepuvusoz_fimeduvitan.pdf
    • https://wiwufupa.weebly.com/uploads/1/3/2/8/132814928/5375623.pdf
    • https://cdn.sqhk.co/lukejisuvawe/BKhajaC/fadiwotube.pdf
    • https://cdn.sqhk.co/xugosovemi/gibsPjj/space_wolf_second_omnibus.pdf
    • http://jikusofare.mywebcommunity.org/53866252349.pdf
    • http://consequences.space/273523827597mamy.pdf
    • http://vufajed.getenjoyment.net/28694911070.pdf
    • https://kofepuxola.weebly.com/uploads/1/3/4/7/134718869/gibofiz.pdf
    • http://molufipet.sportsontheweb.net/ssh_command_in_linux_with_examples.pdf
    • https://vipukawolatu.weebly.com/uploads/1/3/4/4/134486161/magegoxolevitekam.pdf
    • https://wogifirum.weebly.com/uploads/1/3/1/0/131070377/612338.pdf
    • http://meetraisins.club/the_true_story_of_the_three_little_pigs_printable4nqmp.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://samajusinifako.atwebpages.com/80912257140.pdf
    • https://02664c88-84e5-42fa-aae3-682d3a0d4328.filesusr.com/ugd/39d081_cdcfc5f9b45847fb80eeb193bd447965.pdf?index=true
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_8daecc68f5be4bbf96f3a10ee64df21f.pdf?index=true
    • https://6f12065f-c45d-410c-b048-6ec23fb2b810.filesusr.com/ugd/02ccf7_931c895ea006483983df96e307d4cd7b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e693.bin
4ea3dc6b242714333bae36193d1c8b10d80473d05567da55301cee451de16942		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE693 5496 bytes
font_01_sfnt_off0000f933.bin
1deeeb5733f26cf9f7da000e483c502766a5b9bf22dfcd7133cb2ab2c6efc6cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF933 10704 bytes
font_02_sfnt_off00011e41.bin
713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E41 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.