Malicious PDF — malware analysis report

Static analysis result for SHA-256 024d51b958eba1da…

MALICIOUS

PDF

74.0 KB Created: 2021-05-10 21:14:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: c9826095870e1386ca43254ece3dd1df SHA-1: e95c013df793eafa760233711e0b06b52c46899f SHA-256: 024d51b958eba1da8423434e5b019f78b10566138ee42c4598f06362fe4ea749
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=black+and+decker+firestorm+drill+battery+charger PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_a26cf9cf46a54aefbe859a9ba32bc825.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vukumesoj/tuganizek.pdfIn PDF document text
    • https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_a74cfe9bb215431483be648c1d1ae13b.pdf?index=trueIn PDF document text
    • https://1b53f64c-3596-40ff-86ea-95cec8902569.filesusr.com/ugd/838e7e_3f6883a6995e413cacdef793bbf3cb45.pdf?index=trueIn PDF document text
    • https://367e539a-c541-4439-991c-4bf2bef2aa7a.filesusr.com/ugd/77d535_e1b97e83382e4c88917d0d8d977a4f9c.pdf?index=trueIn PDF document text
    • https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_874e5a5a0d6c49b29d516c3f60592d60.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tujeviwakirawu/garmin_gpsmap_60csx_maps_free.pdfIn PDF document text
    • https://8717ace1-8174-44a1-9f98-e7cbf9e9ed94.filesusr.com/ugd/14e3be_807e1881eddb4febb65d17f59479b17e.pdf?index=trueIn PDF document text
    • https://9e705916-5bde-4eb8-be9b-8b3e910fbaf8.filesusr.com/ugd/c7a620_b988acf27f944832b4dde2473532dcfe.pdf?index=trueIn PDF document text
    • https://8b1d1a20-f0f3-43d5-aeb5-704ac988d6c7.filesusr.com/ugd/9dbc1d_7fdf6fe376d84b00ab785631f19361fb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lizuseguwix/hypertension_treatment_guidelines_2018.pdfIn PDF document text
    • https://4bd9ed84-c80b-4837-bb2f-b1353ebfd8aa.filesusr.com/ugd/5a1791_cd411746443f4753ac6eb20e2bd14d87.pdf?index=trueIn PDF document text
    • https://6cf80756-66c2-4d2e-b15d-ff1677cb7115.filesusr.com/ugd/2257e8_d5a0fd5e3c3c4ee2a080845b7b4e8f22.pdf?index=trueIn PDF document text
    • https://156bb51f-0b62-477f-88ca-8620af00812b.filesusr.com/ugd/e3ff21_9f92c6570ace42f69cf6e0e693a54a66.pdf?index=trueIn PDF document text
    • http://lenixad.epizy.com/bexezobasumopumexoxixunu.pdfIn PDF document text
    • http://dixasimoxipux.rf.gd/lateral_thinking_examples.pdfIn PDF document text
    • http://xaposekesudonod.epizy.com/80219957633.pdfIn PDF document text
    • https://s3.amazonaws.com/xidazeze/exercise_after_action_report_examples.pdfIn PDF document text
    • https://cda84be5-0c54-4c05-8389-97bb004c798d.filesusr.com/ugd/fa9f00_f7d16fd8ddfc4ccf8a8a33c5588dec47.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/widiku/how_do_i_turn_off_wifi_direct_on_my_hp_printer.pdfIn PDF document text
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_f411b97734884f44be40b0f3fe9cafd3.pdf?index=trueIn PDF document text
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_1a3c8c18c73443689c36911fc2354c20.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0F1 5788 bytes
SHA-256: 87cfa3afa6a6c4fc3de75ae5bdf77dbe777467eed70ad58df6b88ea5631fe422
font_01_sfnt_off0000f48f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF48F 11068 bytes
SHA-256: 82c92e3e3f51c2975142f8c1421993ba150b5bb5066f26eb5cf18941eb10f9bd

Open this report in the interactive analyzer, or submit your own file for analysis.