Malicious PDF — malware analysis report

Static analysis result for SHA-256 05efc2bc06d94a41…

MALICIOUS

PDF

81.3 KB Created: 2021-03-17 22:12:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8286d304425f5c01c85df42e9752b6c1 SHA-1: 7dddc341927e5bb5e671689d93e51a5280233d3a SHA-256: 05efc2bc06d94a4168cea4115c4e182ea2d738c0f226a29fc028505eeea4c8a9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which point to external websites designed to host more malicious content. The 'PDF_SEO_LINK_FARM' heuristic indicates a deliberate attempt to create a large number of links to potentially malicious PDFs, suggesting a phishing or malware distribution scheme. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' further supports the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=peeta+bread+hunger+games
    • http://hurleyshamburgers.com/57779056926mcvtz.pdf
    • http://24goodstore.site/f1_2018_bahrain_setup_guide1vcz6.pdf
    • http://gtomishebs.xyz/john_deere_14se_service_manualz4j5i.pdf
    • http://wixiziz.iblogger.org/tadalerabixisaduwefabono.pdf
    • http://naturebiolog.fun/birch_bolete_recipe8rkbs.pdf
    • http://car-den.ru/walmart_black_friday_ad_2020_tire_salemmxqm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://45f61934-b4a1-4335-a9e3-e142d9465b5b.filesusr.com/ugd/0dd040_8b6b4ea5c88e486d96f254f6b9088299.pdf?index=true
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_c54d9731255d4a68a224fec0a3ee9e37.pdf?index=true
    • http://rixuzomobe.epizy.com/barden_primary_school_uniform.pdf
    • https://3568ea06-17fa-4787-91ae-86b9aa918cbd.filesusr.com/ugd/8ade13_a380ad23e2a44b47b6b772835cded072.pdf?index=true
    • https://25f35837-e8ad-4357-b490-8f69bec4165a.filesusr.com/ugd/96c61c_5712039fb7bc48f9a900c52f7ac4a37a.pdf?index=true
    • http://letilewe.rf.gd/fegapuvela.pdf
    • https://uploads.strikinglycdn.com/files/9e5ec4a9-b694-4eed-89e0-9a0b1ab51b26/latest_skyrim_update_xbox_one.pdf
    • https://uploads.strikinglycdn.com/files/a2995ff2-cdfc-4ca5-9a11-3e5bd8df1592/19122534206.pdf
    • https://645c32c3-7e99-4959-b93b-7980205539d7.filesusr.com/ugd/30a31c_b57186778b684c0a8a44e3c1c6e1d102.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1c6e3535-0137-4395-8806-ac9a9c699854/how_to_improve_human_resources_management.pdf
    • https://uploads.strikinglycdn.com/files/c052d101-a2bf-4be2-84ee-88e459fa6663/is_adobe_free_right_now.pdf
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_a84f0064690548198fd02f2fcda75642.pdf?index=true
    • https://67258aaf-84c5-4a88-bfd2-1aa7ddb6c27a.filesusr.com/ugd/850f07_12334b52546040228cdb1b505759c599.pdf?index=true
    • https://45f91bdd-2b68-4e60-ae2c-b14373ae5332.filesusr.com/ugd/0d089b_d74fa1d251d14b0b8de2a3aa134030df.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6adf8966-1c9a-45ad-893f-9a33cd181d39/16347918754.pdf
    • https://74fc1a11-d445-4ffb-bc6b-7a79e5a65a18.filesusr.com/ugd/097bd5_cb34928990a24c68badd457dd522b307.pdf?index=true
    • https://88966db1-4a83-4446-b941-f65022a6235f.filesusr.com/ugd/928e0f_bf2ce11d242d42bb9cff1b3b6dfa95f2.pdf?index=true
    • http://mevelidefa.rf.gd/interview_form_format.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fde1.bin
37e60a0da56f9863136413abf142c9052acec09245057832d175384c75a10bfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDE1 5348 bytes
font_01_sfnt_off00010fe1.bin
fd9d6c8cc6a13af6e2f3b77647821d0af5b7bbd6258b7817892bfab44ae9de1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FE1 12008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.