Malicious PDF — malware analysis report

Static analysis result for SHA-256 01b9960eb6ec0493…

MALICIOUS

PDF

99.4 KB Created: 2021-03-09 23:51:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5555fbf759a9d3d5bc6db458bea0eaa4 SHA-1: 7a890d13866c25cb49194e33ef4555f1768f1020 SHA-256: 01b9960eb6ec0493a71b8a31507ea9e70c29e2c24330da0a5bd1305759668f93
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking documents, but one prominent URL points to a suspicious domain. The ML classifier and ClamAV detection strongly indicate maliciousness, likely related to phishing or malware distribution via the linked content. No scripts were extracted, but the PDF structure and numerous external links suggest an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=soenix+unblocked+games+sonic
    • http://flymoney.net/69728790533ap8gz.pdf
    • http://vijoxufomodazug.22web.org/bumepupizofun.pdf
    • http://mefuban.iblogger.org/memobilofaginewewix.pdf
    • http://jabofuzo.22web.org/xedew.pdf
    • http://buylettersonline.com/telepufilotidorutpcu3t.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wixevudu.epizy.com/osrs_crafting_guide_money.pdf
    • http://kidereludabiron.epizy.com/77277523330.pdf
    • https://e25b5f36-ee09-4010-8803-019b2853a23b.filesusr.com/ugd/c34eac_e00555cab32d4231bf14f9e56432e676.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1a6ecf21-0998-4fae-a09e-7621ad240ac3/starbucks_barista_job_duties_for_resume.pdf
    • https://uploads.strikinglycdn.com/files/00be7b06-4bdf-413e-8468-494922a7944e/what_causes_high_thyroid_hormone_levels.pdf
    • http://bavipilebevim.epizy.com/dengue_guideline_thai_2018.pdf
    • https://s3.amazonaws.com/lolaritemukole/google_chrome_old_version_ubuntu.pdf
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_a6e20b81667649f38be790495ace12b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9c4c0993-36db-4e31-99c0-1a9b1bc8212a/gamopumamamegiv.pdf
    • http://bezopiwuzalobit.rf.gd/fixed_asset_lead_schedule_template.pdf
    • https://uploads.strikinglycdn.com/files/54e2bd24-fd92-4631-a69d-64d4fcb3d32b/direwat.pdf
    • https://s3.amazonaws.com/timituvupame/deadpool_2_end_credits_scene.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012457.bin
3430d381653fd008d4d7fc43814682a6116e3ca7b293c4b21bf6f2c3cb920d4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12457 3832 bytes
font_01_sfnt_off000131df.bin
604c42fd1b576fabf16b0da77b0fd0cab38471304ab3c2ce97e8ff91e577aebb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131DF 5540 bytes
font_02_sfnt_off000144ac.bin
333ade86176c1a640b9931d3c3c12ae6bdb644d7b40e6676a0d790756e034f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144AC 11356 bytes
font_03_sfnt_off00016adc.bin
0488c9f99e0fcd21ca2988e9d429c6d59fec344e78892dfd70b5e7a88f9c948a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16ADC 16216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.