Malicious PDF — malware analysis report

Static analysis result for SHA-256 02163b9522bc0ab6…

MALICIOUS

PDF

80.3 KB Created: 2021-04-01 18:10:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e7ef215bfb4be29067084f8685f0d9c SHA-1: 779ca5786831280785f4d3e3382b713346a898f1 SHA-256: 02163b9522bc0ab6437abc0f766ecad10e769199da2c6794df2e9017061a7f6f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. While no scripts were explicitly extracted, the presence of external URLs and the ClamAV detection as Pdf.Phishing.Trojan indicate a malicious intent, likely to phish users or lead them to malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=beta+oxidation+cycle+pdf
    • https://zexirajeroluwub.weebly.com/uploads/1/3/4/8/134848753/navujikiguluse.pdf
    • https://cdn.sqhk.co/gulaxemetila/eQUFieO/blue_lips_artwork.pdf
    • http://gegobalor.22web.org/37381729504.pdf
    • https://nanawoxemataxu.weebly.com/uploads/1/3/5/3/135332584/5332845.pdf
    • http://dunetetemob.22web.org/hollywood_actress_movie_trailer.pdf
    • https://cdn.sqhk.co/gegefemorosu/jjherIx/can_you_stream_live_nfl_games_on_roku.pdf
    • https://cdn.sqhk.co/noxisoture/gSmONgA/bubble_text_font.pdf
    • https://rudabukonavapuk.weebly.com/uploads/1/3/4/0/134016662/fc8d9db1ef2a.pdf
    • https://cdn.sqhk.co/dofexoxev/tibHhaW/14965490942.pdf
    • https://cdn.sqhk.co/masamiwe/esThasL/joshua_bartley_coin_pusher_2020.pdf
    • https://bunixidulot.weebly.com/uploads/1/3/5/9/135964284/4144698.pdf
    • https://vofovolovun.weebly.com/uploads/1/3/1/4/131483423/nedaxezowuzibode.pdf
    • http://katorewudejizut.22web.org/xazubej.pdf
    • http://difaneleduravi.iblogger.org/assembly_language_book_by_ytha_yu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://31f314b5-0768-4c24-bd49-4596ea953b46.filesusr.com/ugd/85a4b1_dbf77f55ca2f4233acb5070e7361db93.pdf?index=true
    • http://zimemotom.rf.gd/pinitulaneveniw.pdf
    • https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_e30df31bc53e447b89cc76a116ca153e.pdf?index=true
    • https://s3.amazonaws.com/nitajosasa/89744038989.pdf
    • https://08202b68-adf4-4b7d-bb06-fcebe54c78b8.filesusr.com/ugd/76dd3d_dbbd163a954a4d8caede641371dbff33.pdf?index=true
    • http://wibelatape.epizy.com/agenda_2020_mxico.pdf
    • https://s3.amazonaws.com/wudibirewuduto/free_printable_math_worksheets_1st_grade_measurement.pdf
    • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_86365773ca82488c8781034cf03d557b.pdf?index=true
    • https://5b0ea1c3-b874-41d5-a3cc-49595beb80a6.filesusr.com/ugd/0c63be_60e1e0d817a14b72b9ed3f10155592dd.pdf?index=true
    • http://rozosijamuruxo.rf.gd/how_to_create_a_watercolor_background.pdf
    • https://s3.amazonaws.com/zumezeviwakiz/king_kutter_xb_tiller_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f75c.bin
f7dbf5b275f55548c2266c3fcc971c33301585c10f01bf719ea8f153e33b979c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF75C 5096 bytes
font_01_sfnt_off000108db.bin
c91af39e4734ede0c2f77a2d08908715c06f6457e7c4face666a840107c7a594		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108DB 12432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.