Malicious PDF — malware analysis report

Static analysis result for SHA-256 f83ce874c8ff00fa…

MALICIOUS

PDF

112.1 KB Created: 2021-04-15 05:40:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c56d046c1a9dd932ed5bd4d97eed918 SHA-1: 2c199de3fb14b070810d192d49b6aa2c2e5ebd88 SHA-256: f83ce874c8ff00fa02dafc2d0c3bd401950d6f61ab5a1d412b46650c4d600a1d
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of a "download button" lure and a large number of embedded external links, including a link farm, suggests a phishing or scam attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a malicious document designed to trick users into downloading or visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=ms+project+professional+2013+free+download+full+version+32+bit
    • https://lefiletigej.weebly.com/uploads/1/3/4/5/134597596/pavizosatesewe.pdf
    • http://semasinizitowo.medianewsonline.com/65742074942.pdf
    • https://cdn.sqhk.co/vudemijugamu/fgicFaB/71230712344.pdf
    • https://cdn.sqhk.co/fedovipawe/hz2C8HZ/61146965700.pdf
    • https://mepifinifiwiza.weebly.com/uploads/1/3/4/3/134334375/1388298.pdf
    • https://cdn-cms.f-static.net/uploads/4494648/normal_601f8db3e4a79.pdf
    • https://cdn.sqhk.co/vuwipabobatu/fhggehh/xunopezefuxuvaxevoteteta.pdf
    • https://static.s123-cdn-static.com/uploads/4375708/normal_5fc7515d19552.pdf
    • https://falomomorojed.weebly.com/uploads/1/3/1/4/131438216/pukenifasuzusifi.pdf
    • https://lulotileja.weebly.com/uploads/1/3/0/8/130873917/4572817.pdf
    • https://cdn-cms.f-static.net/uploads/4371240/normal_6016a6ea3c663.pdf
    • https://cdn.sqhk.co/batumozi/7jbkMja/81661070759.pdf
    • https://cdn.sqhk.co/powitaxixu/kpEiTXk/vabuxewonifuputubibomipum.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vabedafozo/80450123511.pdf
    • https://s3.amazonaws.com/jebokizez/how_to_block_calls_on_panasonic_landline_phone.pdf
    • https://s3.amazonaws.com/fejakixoweka/geometria_analitica_boulos_download.pdf
    • https://s3.amazonaws.com/tedowafomaru/zenun.pdf
    • https://s3.amazonaws.com/lorugipopuxe/ca_ipcc_exam_date_sheet_nov_2018.pdf
    • https://s3.amazonaws.com/likerajatob/respondent_informant_skillnad.pdf
    • http://jitawidavez.atwebpages.com/bhagavad_gita_chapter_12_slokas_in_telugu.pdf
    • http://zupitatip.atwebpages.com/not_getting_paid_to_do_what_you_love.pdf
    • https://s3.amazonaws.com/goneduzum/99145017314.pdf
    • https://s3.amazonaws.com/ruzaganog/android_os_9._1_system.pdf
    • https://s3.amazonaws.com/jevelel/jobekez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015acf.bin
9d23cd250d1969b7a21f062aa097aeaeb9ecb71c512d818d56047deb583756b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15ACF 6012 bytes
font_01_sfnt_off00016f76.bin
57575f701bd42fa4aeec41e38244f231d772a278ab90effc5cdef024427abb1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F76 11688 bytes
font_02_sfnt_off00019793.bin
dcc63ef3f64773b0bb30b68f7c63e09fab9aa81d3fae7398da474383b7b8c95f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19793 17504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.