Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbfe12162fdfbf92…

MALICIOUS

PDF

74.9 KB Created: 2021-03-15 18:05:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c073cfafe64e51b99bd2387038143e1d SHA-1: d2673968a47595517993424fa9486e5fba7936f1 SHA-256: fbfe12162fdfbf92219eaf347b7440d7b7809aadc1f91adbadd0c6f1363bacec
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document likely prompts the user to install a browser extension or update, a common social-engineering technique. The presence of numerous external links, including one to 'soxebez.ru', suggests a phishing or malicious content distribution attempt. No scripts were extracted, but the overall pattern points to a phishing or malware delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=what+is+the+purpose+of+career+development
    • https://xoxovumalojiru.weebly.com/uploads/1/3/0/8/130874224/gusodakur.pdf
    • https://cdn-cms.f-static.net/uploads/4387424/normal_5fe620e4d21b6.pdf
    • https://cdn-cms.f-static.net/uploads/4450248/normal_60221a41cef23.pdf
    • http://axecheat9.xyz/mudutu8dn04.pdf
    • http://knitfqph.site/le_petit_prince_english_sparknotesyakrh.pdf
    • http://jobauthor.online/lawaraklo48x.pdf
    • https://wisetigu.weebly.com/uploads/1/3/4/3/134357320/2cf2c60.pdf
    • https://cdn.sqhk.co/letopoto/iRp3WvC/62946474231.pdf
    • https://cdn-cms.f-static.net/uploads/4426701/normal_5fdb312b69393.pdf
    • https://wokawopirajer.weebly.com/uploads/1/3/3/9/133999547/806fb2401.pdf
    • http://trastenmyqort.online/answer_key_for_math_worksheetshm5l9.pdf
    • https://cdn.sqhk.co/rajexizeba/i7jiSjj/wimifutene.pdf
    • https://cdn.sqhk.co/wogefosa/gpPIXja/vokugawiwugogepiv.pdf
    • https://static.s123-cdn-static.com/uploads/4445326/normal_5fcf0e0213ba1.pdf
    • https://cdn-cms.f-static.net/uploads/4476750/normal_5fdabd5402029.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9cf13542-6be3-44ba-b347-127768acfca0/motorola_moto_g_8gb_3._generation_schwarz.pdf
    • https://uploads.strikinglycdn.com/files/00614122-40b4-4253-aa89-684affa707f6/ccna_collaboration_training_in_bangalore.pdf
    • https://uploads.strikinglycdn.com/files/9170d4e1-9ec3-4653-b988-70202e0bf24e/1_litre_of_tears_book_online.pdf
    • https://uploads.strikinglycdn.com/files/f93f4bed-d71f-4d56-9f1b-bbe9d2fc131a/jesus_be_the_center_of_it_all_free_mp3_download.pdf
    • https://uploads.strikinglycdn.com/files/92e662a0-b646-4f41-8c73-cc1d846d8d95/monster_vape_hours.pdf
    • https://uploads.strikinglycdn.com/files/d31a6595-f4f7-46de-89d9-6594c4aa4a35/wogalipej.pdf
    • https://uploads.strikinglycdn.com/files/166b5b0a-b4f3-489a-a70d-1e341e22eabb/free_first_grade_reading_and_writing_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/cc850e28-315f-4f87-88c4-4e2e6316d274/how_do_i_program_my_directv_remote_to_my_yamaha_sound_bar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e96f.bin
e9659fa3463d276a8a27b3fb000e909c6567cce84bd58b54c02a4396cf77d58b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE96F 5468 bytes
font_01_sfnt_off0000fbee.bin
ad99d85a5e5fad7dcc1d479a3921b40997cf8fc52b3a5e7ba439e43bbb8fbe7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBEE 9960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.