Malicious PDF — malware analysis report

Static analysis result for SHA-256 fccd557c61e27fb7…

MALICIOUS

PDF

70.9 KB Created: 2021-03-28 04:46:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b5ec3b83b213d69f2e6633ac6c14992 SHA-1: d27a79e4965ab6f8c0585da54e777f47cc1bb0b0 SHA-256: fccd557c61e27fb7c089cb3394d1c78a53332c55505acfe71c04aac5656597af
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified by the 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to redirect users to potentially harmful websites. The ClamAV detection and ML classifier also strongly indicate maliciousness, specifically flagging it as 'Pdf.Phishing.Trojan'. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure point towards a phishing or malicious redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=mailchimp+template+design+tips
    • http://esclick.pro/99117965908c1cln.pdf
    • https://baxugufidet.weebly.com/uploads/1/3/0/7/130776886/2490a4e2157.pdf
    • https://vatubovelogised.weebly.com/uploads/1/3/4/3/134375195/mopirawojum.pdf
    • https://zozilevijuni.weebly.com/uploads/1/3/1/3/131383476/jazelemil-fadazabixa.pdf
    • https://nesujuge.weebly.com/uploads/1/3/1/4/131407687/1de7f4a82.pdf
    • https://fikadodovawewa.weebly.com/uploads/1/3/4/3/134320255/15881a3c6c56.pdf
    • http://kfcrabota.ru/ic_engine_parts_and_functions_ppt4nfwe.pdf
    • https://bisuduroj.weebly.com/uploads/1/3/4/7/134714880/3d637c66fa.pdf
    • http://hookup157.online/woxub3t5m4.pdf
    • http://kmplitka.shop/tipos_de_comunicaciones_inalambricas1wcu5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/734c4da7-0e5e-448e-a3a3-aa43d845a949/teorias_de_recursos_humanos_segun_autores.pdf
    • https://uploads.strikinglycdn.com/files/400e2985-b91d-4804-adf1-549603b52223/safety_first_ear_thermometer_how_to_use.pdf
    • https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_129c3042625c400da3cd94c5deb4e167.pdf?index=true
    • https://b2f3f1fb-4f3f-4d5d-be65-f5b10dce6288.filesusr.com/ugd/735189_0b0804e3249a4e8cba2a39d4745c0cd1.pdf?index=true
    • https://107a3552-ed21-4f5d-95e3-510b6eae4444.filesusr.com/ugd/21bbef_6660fe9f67cd4d43baeb40f7f1af419c.pdf?index=true
    • https://5fdaa9e0-ad6d-443b-8779-beb8e45026dc.filesusr.com/ugd/05301a_8071ae601a5c49388f54343a56993ff5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/28e89aa3-44c8-4287-984b-10f189d07ea0/different_types_of_manufacturing_process_in_operations_management.pdf
    • https://uploads.strikinglycdn.com/files/e94660a4-7682-4487-ad54-8ee5becaca2d/16536039563.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9bf.bin
a926e43408cf4d97c62f3e8d1eadbd3a2da940021d2570df39043d12167c554d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9BF 5396 bytes
font_01_sfnt_off0000ec01.bin
0f7958888c0217f50acfdebc4b9a9b5d0e8050efc5f8eaf93c78ba0d203d4ea1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC01 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.