Malicious PDF — malware analysis report

Static analysis result for SHA-256 052481cfa03f5ce3…

MALICIOUS

PDF

88.2 KB Created: 2021-06-12 16:57:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f6c55357e9c058b5ab8762eb1257e0ad SHA-1: d6d6572e678a0687b23e43b0b5f26ab07cbe448a SHA-256: 052481cfa03f5ce33aae80529b1317ee74f3c68a629aa58ef54c79989b2ce266
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' containing 30 external links. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.Trojan'. The presence of embedded URLs and the overall structure suggest the PDF is used to redirect users to potentially malicious sites, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/pbw?utm_term=kanji+dictionary+2500+pdf
    • https://static.s123-cdn-static-d.com/uploads/4452395/normal_60b7071baf051.pdf
    • https://cdn-cms.f-static.net/uploads/4466154/normal_602f13555c9f5.pdf
    • https://razixolinatu.weebly.com/uploads/1/3/4/3/134384461/menogasifowo.pdf
    • https://roxomutina.weebly.com/uploads/1/3/4/6/134663133/15a5e6.pdf
    • https://bematurom.weebly.com/uploads/1/3/4/8/134886193/tisurogeji.pdf
    • https://static.s123-cdn-static.com/uploads/4464869/normal_60088d518b4af.pdf
    • https://cdn-cms.f-static.net/uploads/4463552/normal_5fd7b6e43c454.pdf
    • https://static.s123-cdn-static.com/uploads/4366978/normal_5ffa98900cf57.pdf
    • https://static.s123-cdn-static.com/uploads/4404733/normal_60083a19c65fa.pdf
    • https://cdn-cms.f-static.net/uploads/4381081/normal_600f07931d7e0.pdf
    • https://static.s123-cdn-static.com/uploads/4406229/normal_5fcb14fb75804.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3855c858-5fd3-45f0-b307-2b7d3a6aed23/does_bose_quietcomfort_15_have_bluetooth.pdf
    • https://uploads.strikinglycdn.com/files/e652e97e-a673-4f6e-824b-5e202e48f363/97993235488.pdf
    • http://gabumur.pbworks.com/f/wrong_turn_2_hindi_dubbed_download_mp4moviez.pdf
    • https://uploads.strikinglycdn.com/files/8a262e37-bdea-485e-bf52-fcd627c46367/son_los_principios_de_la_economa_azul.pdf
    • http://podimil.pbworks.com/w/file/fetch/144526149/60675234989.pdf
    • http://gemometis.pbworks.com/f/48999786815.pdf
    • http://xefepexa.pbworks.com/w/file/fetch/145090143/vidmate_64_bit.pdf
    • https://uploads.strikinglycdn.com/files/5faf2c5b-be42-41b4-b62f-604ab6335246/51555669510.pdf
    • https://uploads.strikinglycdn.com/files/d3f7241d-7c0c-4066-8f1a-772e4af3f3ca/58234048481.pdf
    • https://uploads.strikinglycdn.com/files/b9c04e3a-be70-4fa1-9a93-0029782832bc/23921899746.pdf
    • https://uploads.strikinglycdn.com/files/bd93a876-df83-40c8-a99a-95bb359450a2/percy_jackson_graphic_novels_in_order.pdf
    • https://uploads.strikinglycdn.com/files/f15d7a10-f96e-4e2e-a245-375a16fe901d/zexipokixewolukizanokor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f304.bin
e0ae17a673976cb23caf8962b55d15b7bf99c025351830e39ea7e1736101fe4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF304 5768 bytes
font_01_sfnt_off0001071f.bin
92a9baa8659878c39f62dc911e5a792bd70506517807544a407f1430034ca9db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1071F 5484 bytes
font_02_sfnt_off000119f5.bin
666f7f6076f7dc4967f1d68fe830f1bbe1569fa8e0698bd2cd343e3ea5e94286		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119F5 10312 bytes
font_03_sfnt_off00013d07.bin
da4b164e559004f6353f0a5dc6ff39c750a4dde01d42a555aa960bfbd3bf1c3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D07 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.