Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9736dea2b625955…

MALICIOUS

PDF

75.2 KB Created: 2021-06-01 23:27:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b1720dfac98b5446c49efef449d68f2 SHA-1: 74c9d395a56b5b40faecea1bcdd80aab2f4eddf3 SHA-256: f9736dea2b62595540f4e2dfc2712c7f1e8dcfcf7c04f4c9e2f473ed5079a4dd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, but the primary malicious activity appears to be the mass distribution of external URLs, likely to lead users to malicious sites or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/pbw?utm_term=treatment+of+chronic+periodontal+pdf
    • https://cdn-cms.f-static.net/uploads/4450440/normal_6067f5b8eb3a8.pdf
    • https://nozuresosobud.weebly.com/uploads/1/3/4/7/134758814/goxot_timemamo.pdf
    • https://kimewazokedusa.weebly.com/uploads/1/3/1/4/131454536/1583693.pdf
    • https://magifoxokepo.weebly.com/uploads/1/3/6/0/136053300/gidowigap-mifutite-lakarupofinuxuk.pdf
    • https://raputaluwim.weebly.com/uploads/1/3/1/6/131606275/6311129.pdf
    • https://xibatelilon.weebly.com/uploads/1/3/1/6/131637149/9904546.pdf
    • https://kamejufozafa.weebly.com/uploads/1/3/4/8/134891268/zijad-gusifugibigeku-dupotitu-rawaget.pdf
    • https://gononazenikemad.weebly.com/uploads/1/3/4/4/134482012/dc0b058.pdf
    • https://xunujilitaga.weebly.com/uploads/1/3/5/3/135315779/nowixuvow.pdf
    • https://cdn-cms.f-static.net/uploads/4393763/normal_6052711704b8c.pdf
    • https://xojumemusip.weebly.com/uploads/1/3/4/0/134018475/752db368971.pdf
    • https://xigepeseforala.weebly.com/uploads/1/3/4/5/134508125/tisiloziruweb-womezig-dukodajirijek.pdf
    • https://cdn-cms.f-static.net/uploads/4490274/normal_5fdc50f5b5401.pdf
    • https://cdn-cms.f-static.net/uploads/4408984/normal_5fdbe5db6da4e.pdf
    • https://latitidazus.weebly.com/uploads/1/3/4/0/134018806/wokidotowosamamije.pdf
    • https://nodekisoguzila.weebly.com/uploads/1/3/5/3/135313862/vawijovemixote_xipobinona_jitelutejuneg.pdf
    • https://visegiwizokin.weebly.com/uploads/1/3/4/7/134721612/ee3e93f2cb1aa40.pdf
    • https://wusiparopebabo.weebly.com/uploads/1/3/4/5/134505529/kojidipizuwabe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ad713b3a-9333-4a3e-a40d-98d4a1a8941f/nijen.pdf
    • https://uploads.strikinglycdn.com/files/698a8465-f728-46ec-ac26-b1e2abddd3c8/how_to_get_all_car_parts_borderlands_3.pdf
    • https://uploads.strikinglycdn.com/files/9d1beb2e-5d09-4c38-a0c0-58ac81adc39e/probability_and_statistics_for_engineers_and_scientists_devore.pdf
    • https://uploads.strikinglycdn.com/files/32660590-3bae-433b-b975-e163844d6119/craftsman_wet_dry_vac_customer_service.pdf
    • https://uploads.strikinglycdn.com/files/c52fe812-d885-49fa-8033-2ca6c74f363c/46492914561.pdf
    • https://uploads.strikinglycdn.com/files/58bfccf2-0370-46f0-bc67-e36cc4859904/uriyadi_full_movie_download_720p_1080p.pdf
    • https://uploads.strikinglycdn.com/files/c7dba390-33d5-4a8b-9651-c162a9143921/kazogitu.pdf
    • https://uploads.strikinglycdn.com/files/966bab19-8020-46d1-9ebe-f3538d262e06/ranciere_politics_of_aesthetics_summary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb02.bin
ee00f0c2cd01e986f66d49aada85a2556be7d68616be7942b04b1cb53e64602c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB02 5164 bytes
font_01_sfnt_off0000fc68.bin
f41f6a7a91ab4903f7fb842946500fa9a199deb1c6de88de5ecae827e3bef5e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC68 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.