Malicious PDF — malware analysis report

Static analysis result for SHA-256 f27d6696236e2c80…

MALICIOUS

PDF

81.5 KB Created: 2021-05-08 08:19:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a3a48451a5b2be5d8a199771633ae2c SHA-1: 2d4e451c575ffd57ba46bf818fe38a4d2ee9b2e8 SHA-256: f27d6696236e2c803e51c0dd84caaf7cb392b4e5541451c92e9b9cdef31fb97e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, with heuristics identifying a 'link farm' and 'suspicious link lure' pointing to domains like 'crophysi.ru' and 'ilook.market'. The document body, though heavily obfuscated, contains text related to 'free background check', suggesting a phishing or scam lure. The presence of embedded JavaScript further supports malicious activity, likely for redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=completely+free+background+check+no+credit+card+needed
    • http://ilook.market/5481537341671bw5.pdf
    • https://cdn.sqhk.co/tibakekavero/iihbt81/52213197864.pdf
    • https://cdn-cms.f-static.net/uploads/4382790/normal_6059d7e36ec2c.pdf
    • https://cdn.sqhk.co/jewezaledev/n2gjghM/guzixasidasareboraxevew.pdf
    • https://cdn.sqhk.co/janawezexoj/ighfqjj/implosion_never_lose_hope_apk_data_offline.pdf
    • https://cdn.sqhk.co/bolomadu/dl6hbRl/sazukosaju.pdf
    • http://managerprogram.live/22781012165ekmbb.pdf
    • http://crawlmqyu.space/how_to_thread_bobbin_brother_lx_3125x2qle.pdf
    • http://copyrighytsupport.com/663833486235q2xi.pdf
    • https://static.s123-cdn-static.com/uploads/4504568/normal_6004b1ae7bead.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lodonevubepivor.epizy.com/rejagezitizasolonavi.pdf
    • https://27a83426-c768-4525-a63d-b5b732cca755.filesusr.com/ugd/28b3f7_3b2df37ba77446dd9ae1eb8158b84f32.pdf?index=true
    • https://11ab4cf5-156d-4417-99e9-5039b2a7eb5f.filesusr.com/ugd/82d61e_f7404ec34cc44c4bb8c90d2ca5803650.pdf?index=true
    • http://rufuvavigesu.epizy.com/puwavuxukuturin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f55a.bin
1bb9685c823eefbdf59cf38cc6aa1cb9be51b467d698e7e68e9a0414e0fc51e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF55A 5604 bytes
font_01_sfnt_off0001083d.bin
19d579821e83c32cd478aefcb57f849508ece8625c42f2108810477b29a00d2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1083D 1936 bytes
font_02_sfnt_off00011183.bin
82dd45cf2b017543a1ef860116bae55ca963dc0e572b5abc02911116866835e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11183 10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.