Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc6e6d6a4cfc0f57…

MALICIOUS

PDF

114.2 KB Created: 2021-03-14 13:10:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c687c589cfa8f917e487f68f498051b4 SHA-1: 1fedeb54135032535c908e020139116fba6f4004 SHA-256: fc6e6d6a4cfc0f579fff13900e28e8b613a5241af2041758fa5f0ad1c1596209
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, with one suspicious URL pointing to seumenha.ru, suggesting a phishing or link-farming attack. The document body, though heavily obfuscated, appears to be a lure related to "Thermo king magnum 924 parts manual". No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=thermo+king+magnum+924+parts+manual
    • https://wojemalivameju.weebly.com/uploads/1/3/0/7/130775107/8504249.pdf
    • http://galufixagomedo.getenjoyment.net/27879167431.pdf
    • https://static.s123-cdn-static.com/uploads/4490371/normal_5ffc2e7eb76bf.pdf
    • http://rewita.fun/473504778959lelm.pdf
    • https://jowopuvuramikir.weebly.com/uploads/1/3/5/3/135313070/227a2.pdf
    • https://cdn-cms.f-static.net/uploads/4426820/normal_600eb6aca0351.pdf
    • https://cdn-cms.f-static.net/uploads/4470024/normal_601259dd91a44.pdf
    • http://otomail.business/84672791596jor22.pdf
    • http://fakts.design/thich_nhat_hanh_facts4kvig.pdf
    • https://revunisukigi.weebly.com/uploads/1/3/4/8/134849871/gerij_bovowax_dogiwobif_bijok.pdf
    • https://cdn-cms.f-static.net/uploads/4457839/normal_6026f5d58aeec.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8d369363-4430-4cd3-b9b3-cf8010d923b2/dimibuvedubegunolu.pdf
    • https://s3.amazonaws.com/putelekireza/pewidifonotanupalok.pdf
    • https://uploads.strikinglycdn.com/files/57892442-05fd-419e-b31e-09fea41a6cd3/19771604707.pdf
    • https://uploads.strikinglycdn.com/files/dd5e2374-6264-4f83-a3bb-5bd3374ce599/the_real_book_bb_sixth_edition.pdf
    • https://s3.amazonaws.com/roxawo/famikeluxizutumosilobit.pdf
    • https://uploads.strikinglycdn.com/files/f6c45090-e236-423c-bf70-a48b34686719/xoluwofes.pdf
    • http://nimanexobubibub.onlinewebshop.net/what_is_bible_in_arabic.pdf
    • https://uploads.strikinglycdn.com/files/bbe40eb7-68ed-48da-998c-e977808ef1f1/mr_coffee_ecmp50.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001809e.bin
8a973282c92107c76f9998b6960ef120bd3a9fe1c9299d7288d1c6cee806b73f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1809E 5624 bytes
font_01_sfnt_off00019390.bin
f8dfe62cb5d6e8f68148bb41dace2e0e8e6a0fdea7c9e7f027da9a8e783d8260		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19390 11712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.