Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb87f9a10ee846b8…

MALICIOUS

PDF

79.4 KB Created: 2021-03-09 21:28:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90a933210865aa2cb81550a23045197e SHA-1: 1b69e9b632065e5ad3af3c9611485006e5388902 SHA-256: fb87f9a10ee846b8ff11bf2015f2c6efda2389afea5ecd4e55eb7ef49d63d9d3
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of numerous external links, including one pointing to 'hookup750.website', suggests a link farm or a distribution point for further malicious content. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a phishing or malware delivery mechanism, likely initiated via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=caselet+di+for+bank+po+pdf
    • http://hookup750.website/defiant_light_timer_troubleshooting0pobs.pdf
    • http://docita.fun/favenoporuwomes0.pdf
    • http://wide-mean.top/mobile_phone_repair_course_download3v8ep.pdf
    • http://fineagencyy.com/444010379001sl7r.pdf
    • http://naturfresh.space/dovenonaxutebakataje9k1n6.pdf
    • http://uscreditmonitoring.info/pdf_ecology_and_environment3wqag.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://fa886832-b9e3-4ce5-a98c-97da2614721f.filesusr.com/ugd/9f8050_f4bf8d5c6ec74c02911cee726220776f.pdf?index=true
    • https://s3.amazonaws.com/gomaxod/microsoft_powerpoint_templates_online.pdf
    • https://189c2d36-84ff-4b81-9465-96c33c1d3b91.filesusr.com/ugd/35ddae_84a6e5cf7e0e428fb9b27edd631c675f.pdf?index=true
    • https://s3.amazonaws.com/tajimipojimo/70061558281.pdf
    • https://438c9214-13ba-44a2-8469-a4c97ff43377.filesusr.com/ugd/5d46a0_e939775d130647c6be885126588a4954.pdf?index=true
    • https://8d684a1e-4078-49cd-b336-05adf09473b6.filesusr.com/ugd/2b25e8_cb3c472e399d4382b1c5793914a73417.pdf?index=true
    • https://s3.amazonaws.com/lurutopobi/16015180312.pdf
    • https://d4e73f68-9870-4c81-be0c-0a6dd7607cd2.filesusr.com/ugd/6f53d7_84870d54baad4d478d7fbf3c284a0a24.pdf?index=true
    • https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_fbd49bcbee4c483c8d09e7c70baa3f4b.pdf?index=true
    • https://s3.amazonaws.com/ganubatebedoxez/51268695979.pdf
    • https://3633ae4e-9acc-45df-885e-1bfa1481cb44.filesusr.com/ugd/e73054_3a13777a21384fe5b4f3186d2c89c0f9.pdf?index=true
    • https://e40da922-b0e4-44be-9878-2d4898ccab21.filesusr.com/ugd/3a38e0_605eb4325af54d42b8198461c1116b77.pdf?index=true
    • https://1a9cd40a-f0d6-44d4-a143-19288280ca2b.filesusr.com/ugd/7a13df_2463c52364ee4a85bac5b7296af23c56.pdf?index=true
    • https://s3.amazonaws.com/kukazowox/freeze_panes_google_sheets_iphone.pdf
    • https://d3df31c7-72fe-42b1-a92e-0723e8ed7a16.filesusr.com/ugd/5bf82b_cf129b28ed7e46c484132a6ffd9169cc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec5a.bin
0d6146511b920fc6c797d55dfd6ce42a38eb8c8e1502d4a2069442212c1ec0f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC5A 5144 bytes
font_01_sfnt_off0000fddf.bin
0086543b3c357ec242fb2e436c789a7da63ebb700fad65ac4ac2b2a3e3042e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDDF 10560 bytes
font_02_sfnt_off0001220c.bin
166c72558f4cd3ccf3466689bd93b064e88ccd7638e8839bf2d17279a2cc7f76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1220C 3636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.