Malicious PDF — malware analysis report

Static analysis result for SHA-256 000d58528f1e461d…

MALICIOUS

PDF

81.2 KB Created: 2021-03-26 11:29:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83fff3640e1c1a7d1a463aa12448f99e SHA-1: 78f6e4db7d858eae36740947994bd5fb8acaccc6 SHA-256: 000d58528f1e461dfe471ba834ec1bacebca65eb4e8d8aada2734ec37dab8b3e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The presence of 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' further supports its malicious nature. The primary malicious IOC is the URL 'https://lozipotod.ru/123?utm_term=bat+bioacoustics+pdf', which is likely used to host phishing content or distribute further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=bat+bioacoustics+pdf
    • http://istlan.fun/materiales_dentales_phillips3ovhn.pdf
    • http://buytoday.cc/91971469201969v1.pdf
    • http://erogan-encolumbia.site/ascending_aortic_aneurysm_surgical_guidelinesu2oub.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d51e2350-6c52-4b6d-82b9-6ab3c319262e/network_security_basics.pdf
    • https://uploads.strikinglycdn.com/files/571acf91-5a48-4864-88cf-a41144329060/what_does_incapacitation_mean.pdf
    • https://s3.amazonaws.com/gifojuxaxeva/23940818348.pdf
    • https://uploads.strikinglycdn.com/files/5790cf27-fd20-4513-8c00-98e75dd861db/does_allegiant_give_military_free_bags.pdf
    • https://06ebba1c-c738-45d4-b58d-83edbdcc9420.filesusr.com/ugd/b14caa_da935a834859483aa43c4f5d29bb753b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbc5fed2-4d94-4b1f-b8d0-e9ff40cd07f6/radio_motorola_k7gmrcej_caracteristicas.pdf
    • https://uploads.strikinglycdn.com/files/bde06688-4ca2-4571-8c2d-4534fb09c28c/phrasal_verbs_with_telugu_meaning.pdf
    • https://uploads.strikinglycdn.com/files/d842b54d-9f2a-4513-94e6-6451902383ee/botagoniji.pdf
    • https://uploads.strikinglycdn.com/files/cd294fd5-625d-4f14-b628-ab8da7848a56/moon_river_guitar_chords_in_f.pdf
    • https://29ce6865-365c-47c4-9f0a-635d6f965865.filesusr.com/ugd/0d6b77_8cdf6569ee48482ea2cfc9ead3b825e7.pdf?index=true
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_4240d1c076c6483ca32a6e64727285d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83218355-a3cd-45d5-a3de-5229d2fddde0/american_red_cross_first_aid_practice_test_questions.pdf
    • https://uploads.strikinglycdn.com/files/cf0e3b4a-9f39-415b-ba76-0ec617c93e2b/jobemelalomurilu.pdf
    • https://s3.amazonaws.com/nowokil/96378139804.pdf
    • https://s3.amazonaws.com/bupesejirijejus/android_9_pie_for_mate_10_lite.pdf
    • https://938a05da-450f-421e-a59b-0448473a402a.filesusr.com/ugd/cb5dea_d6271e5acaf04825aba4dd385a70f798.pdf?index=true
    • https://d73c234d-0e3d-497d-8108-d5659bace061.filesusr.com/ugd/58a813_0cf08c5c5ce342f5ae59da08ab530c69.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3e046173-dedf-42d9-bee4-42cb21f8cefb/which_accent_do_you_have_quiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3dc.bin
53c01a9a5a36a1f56f2ac18bff9780eb93a3368641910cdac7837574c956a1c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3DC 4868 bytes
font_01_sfnt_off00010468.bin
fea75e08acc33017e9fcfc00fec356f74a5441ae008a64f18d904337cd812a21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10468 10956 bytes
font_02_sfnt_off000129a5.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129A5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.