Malicious PDF — malware analysis report

Static analysis result for SHA-256 f467e9151c20ede1…

MALICIOUS

PDF

89.0 KB Created: 2021-03-15 17:05:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01519b0d97dec51fe8e7aac34c456f99 SHA-1: d54bd717f945c63c50aafa251f5805a2c5946999 SHA-256: f467e9151c20ede1de922190a57fdf7dc446514927bd7a02f177e9fb52795c19
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically phishing. While no scripts were directly extracted, the PDF structure and embedded URIs suggest it's designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/aws?utm_term=how+to+use+the+monopoly+electronic+banking
    • https://cdn.sqhk.co/sirepajaku/Zj7UKjf/download_game_vr_thrills_roller_coaster_360.pdf
    • https://cdn.sqhk.co/gesokusa/Heherhc/kifowo.pdf
    • https://cdn-cms.f-static.net/uploads/4495841/normal_6017427c7a990.pdf
    • https://cdn.sqhk.co/radofufalam/KhfaQt2/wordbrain_2_countries.pdf
    • https://static.s123-cdn-static.com/uploads/4488317/normal_5fdff0c8de165.pdf
    • https://static.s123-cdn-static.com/uploads/4411220/normal_5fe2047038f43.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fc30e34f-dc2e-4aa9-aef4-70bc2f14451c/ciccarelli_psychology_5th_edition_chapter_2.pdf
    • https://uploads.strikinglycdn.com/files/53227fe0-c5a4-4f97-be05-821a04cbc7d4/pusazemipudusani.pdf
    • https://s3.amazonaws.com/xisefowu/everything_everything_nicola_yoon.pdf
    • https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_9aa791e71a34426b91e0b21b090646e7.pdf?index=true
    • https://67bb8873-ca08-4da4-87c0-60a8072ebff6.filesusr.com/ugd/a838c0_df4da73b1ce84ff89349cf17facdf0ee.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e8f56212-d14f-4d94-9b11-3e0ea6813523/evaluative_reading_comprehension_test_for_grade_3.pdf
    • https://uploads.strikinglycdn.com/files/d3a0af42-b03a-45ea-9c79-d31d45e2e372/remington_700_serial_number_lookup.pdf
    • https://s3.amazonaws.com/zubuwujoxom/34883641166.pdf
    • https://uploads.strikinglycdn.com/files/c1a1ccb6-dd7a-4838-bdcf-f5fc5d1e090b/can_you_replace_garage_door_openers.pdf
    • https://cc6d8859-fc08-4100-a073-55b48c5addfc.filesusr.com/ugd/238140_4e3540e9f56c440eaccbcac0b64fa13d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/da7d87ad-40c2-447c-a392-f2ac19d917f1/sasetirosuzusijikatatises.pdf
    • https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_7951fed5345e4f34a8377fa4101d2c53.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a5e553f-3c70-4bd5-9148-76c8fd2df65a/sonepebarefelebol.pdf
    • https://uploads.strikinglycdn.com/files/eedc3249-e5be-45b7-8904-5ddceb6d13e3/how_to_reset_smart_plugs.pdf
    • https://uploads.strikinglycdn.com/files/74d80c8b-884e-4f41-9be6-fb961238debe/30496659307.pdf
    • https://s3.amazonaws.com/zafijukopa/human_virology.pdf
    • https://ab2ac9d4-4772-4872-829d-c19fde0a4f90.filesusr.com/ugd/b919b3_cb0ece8da943436ba159b5c7f890735f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ff2.bin
70238cdfb1d7c72185872a8da2063da1b0e9f87bf1821451f1c62334685248ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FF2 3952 bytes
font_01_sfnt_off00011dff.bin
131a0bf2d429ead45ae6f373c582d8a66800d15f601e612ba085d7313f561202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DFF 5704 bytes
font_02_sfnt_off00013154.bin
1a9309f3f0cb58417c80a8986dc438b524dbc3fe173f803bc476dd99dcde4e45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13154 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.