Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa4951682b1a4f3b…

MALICIOUS

PDF

87.3 KB Created: 2021-01-08 09:22:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03641a79dc1f4d068d3253768889a621 SHA-1: 8253a3e3444f0eff6420566d5684dab763a95b34 SHA-256: fa4951682b1a4f3be75810367ee5d4f00944c0f93929bd0e6f3bc3dfd630e23e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains a large number of external links, many of which are likely part of an SEO link farm, and one URL points to a suspicious domain. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external links suggest an attempt to redirect users to malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=bangladesh+govt+holiday+calendar+2016+pdf
    • https://cdn.sqhk.co/zupisopad/8SLhpjg/shooting_world_gun_fire_app.pdf
    • https://movireralu.weebly.com/uploads/1/3/4/8/134879142/5119683.pdf
    • https://cdn.sqhk.co/zudilubal/ejeQoge/furemutifupejo.pdf
    • https://nanagimub.weebly.com/uploads/1/3/4/6/134632235/nadimez_gamilo_gabexube.pdf
    • https://boxesagako.weebly.com/uploads/1/3/4/5/134589877/79b33ee.pdf
    • https://megoximigiwuboz.weebly.com/uploads/1/3/4/5/134579220/penuwusege.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/a25d9ee6-ee43-48bd-8386-a4018a52b23f/field_and_stream_3_person_dome_tent_instructions.pdf
    • https://s3.amazonaws.com/gajabedafot/gowesivivan.pdf
    • https://s3.amazonaws.com/fedufiporara/sujowux.pdf
    • https://s3.amazonaws.com/tupofelasujewas/43358441476.pdf
    • https://s3.amazonaws.com/dapekufoxiraku/26119482122.pdf
    • https://s3.amazonaws.com/topipovikapari/citra_3ds_emulator_free_32_bit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d2b6.bin
12ed4ae42501b4d86ff8662c977d79b16147749ba54651268e67ff762e9033df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2B6 5896 bytes
font_01_sfnt_off0000e6c7.bin
b70946310c994b2e09ae9ed4e6d25e311a315aadffb814a5488dc20d12b9c02e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6C7 10236 bytes
font_02_sfnt_off000107e3.bin
93b8953fe1e68d8e7955f59ee4d306a512d58ea45944b8de7a6526d646f77354		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107E3 11028 bytes
font_03_sfnt_off00012c93.bin
06d84a79787f49517cba9647d12dd77c675544b9e46e70dbd0c3ec2b8d2a160e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C93 16132 bytes
font_04_sfnt_off0001418c.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1418C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.