Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8de9f1ea8e21aca…

MALICIOUS

PDF

84.1 KB Created: 2021-03-19 10:33:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 184fe381ea9bb2432f2154869d493fc0 SHA-1: 1ed372a9466359517b3ec234766ba11a2cb46781 SHA-256: f8de9f1ea8e21acae5490704154520d5fa9975b71990236b00219e13d082d27d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links to external websites, identified by the PDF_URI and PDF_SEO_LINK_FARM heuristics. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. The embedded URLs suggest a phishing or malware distribution campaign, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=my+cloud+ex2+ultra+firmware+downgrade
    • http://rolapisi.scienceontheweb.net/97415917186.pdf
    • http://mantenancie.com/919098732015iztr.pdf
    • http://momentshop.website/doxugoxaremeyjx5v.pdf
    • http://koolmaxt.online/how_to_make_origami_paper_ninja_stars11pdi.pdf
    • https://static.s123-cdn-static.com/uploads/4369796/normal_60079ffce32d4.pdf
    • http://tagoturuluro.medianewsonline.com/endogenous_and_exogenous_antioxidants.pdf
    • http://beveram.66ghz.com/dusememegelovati.pdf
    • http://fullpisetc.ru/mahalia_back_up_planiv85f.pdf
    • https://cdn-cms.f-static.net/uploads/4369174/normal_6051e1a05589e.pdf
    • https://static.s123-cdn-static.com/uploads/4420910/normal_5ffb934c34a9e.pdf
    • http://majexifavel.scienceontheweb.net/nasadapilutoma.pdf
    • https://static.s123-cdn-static.com/uploads/4387924/normal_5ff32adb41c46.pdf
    • http://boost-store.net/6265219858873vus.pdf
    • http://gamowenugeg.sportsontheweb.net/how_do_i_connect_my_logitech_bluetooth_mouse_to_my_macbook_air.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://masemipeba.myartsonline.com/angiosperm_file.pdf
    • https://09af0a6c-c0e6-47ff-90c1-5b173435ccd1.filesusr.com/ugd/b92b66_7621be3727c34c7ca6a271baea0229c5.pdf?index=true
    • https://de7eff9d-5c50-4122-bb99-ee112abf7a8f.filesusr.com/ugd/db8f21_b91ce3aa8b1c459f884a5502f6358893.pdf?index=true
    • https://6205d428-d5dc-494e-bbc3-e2236f9d811e.filesusr.com/ugd/6885a6_79b336ce81414b35991e676002d50326.pdf?index=true
    • https://cb6d8354-940b-4e05-9f1d-0150973ab277.filesusr.com/ugd/882da0_4c3419661af443cf927eb0f6fbcad0f1.pdf?index=true
    • https://5d94d51b-2702-4b64-8df3-eadd022f3edc.filesusr.com/ugd/2ddd39_38395e271e604352927573ba3608316c.pdf?index=true
    • https://0df22b04-17ae-4e65-9af8-3af4445b4601.filesusr.com/ugd/71fd01_c1ab596fe4ff4b96b58bc54899459a25.pdf?index=true
    • https://b304dada-1952-41b2-af44-d16a3232bb3f.filesusr.com/ugd/c19c34_77c01ecd9bed444aa4cbe0df49fb2050.pdf?index=true
    • http://gebejofokim.rf.gd/bessacarr_e425_owners_manual.pdf
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_ecdfc6bbf4b34c109454a37d1809ba92.pdf?index=true
    • http://texuxirim.epizy.com/11965300005.pdf
    • https://d4180a97-8dd0-4bf1-9e2f-d1b128d1a64d.filesusr.com/ugd/ae059d_aa70d0ce9c9e4fefa6f00030b7c30556.pdf?index=true
    • https://8b83d164-5e56-46cc-b941-48f48810ddf3.filesusr.com/ugd/76ce43_cebabc2c1d304d5c99ec03174b41a689.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f486.bin
fb92b4ebfe57b376e3e62c86fb974020a6e857d161f3f08c2ee6ba90270fc81c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF486 5564 bytes
font_01_sfnt_off00010792.bin
2e5d74ba8118fbb7a84644b92cb4b0f9a1569303edb766c65c75976d373e99d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10792 10812 bytes
font_02_sfnt_off00012d08.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D08 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.