Malicious PDF — malware analysis report

Static analysis result for SHA-256 0915be17a479cef0…

MALICIOUS

PDF

77.3 KB Created: 2021-03-27 11:17:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 306d1b3c8c1c786ccfb20eee12d71ad1 SHA-1: 6fe7221d770ba2b39568ab67efdb483f1816979b SHA-256: 0915be17a479cef0f05e836c47b01b707bedcd9a1005b91f41acffff64f9a777
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or malware distribution attempt. The document contains an external URI pointing to 'https://golowaki.ru/wix?keyword=nslc+salary+disclosure+2020', suggesting it is used as a lure to redirect users to a potentially harmful site. The presence of numerous links and disposable hosting, as indicated by the PDF_SEO_DISPOSABLE_LINK_FARM heuristic, further supports a malicious intent, likely for SEO poisoning or driving traffic to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=nslc+salary+disclosure+2020
    • https://cdn-cms.f-static.net/uploads/4476758/normal_60146528750ae.pdf
    • https://cdn-cms.f-static.net/uploads/4450347/normal_605d6f5aee2f6.pdf
    • http://tebafurunaxinuj.getenjoyment.net/sovuralasaburovarimukotoj.pdf
    • http://vexezujuzas.scienceontheweb.net/basic_english_grammar_for_bank_exams.pdf
    • http://posiximuteg.sportsontheweb.net/how_to_convert_to_word_adobe_reader.pdf
    • https://cdn-cms.f-static.net/uploads/4385204/normal_604a13c4a4e6d.pdf
    • http://lojapidabud.mypressonline.com/how_to_get_into_the_salvation_army.pdf
    • https://static.s123-cdn-static.com/uploads/4428035/normal_6000ad2cebee7.pdf
    • https://cdn-cms.f-static.net/uploads/4386621/normal_6032ba7a9b615.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dipagepe.atwebpages.com/88519370869.pdf
    • https://s3.amazonaws.com/gowupuzokowuxes/solution_set_for_inequalities.pdf
    • https://uploads.strikinglycdn.com/files/49dd0f8e-197c-4e72-994c-593fc79a1041/graphic_art_design_jobs_near_me.pdf
    • https://c6111751-42b6-464f-a8b1-832d492ff999.filesusr.com/ugd/3d0627_d12290b44a1842cf93ed68e44e303c3c.pdf?index=true
    • https://9847beff-b4a9-463e-b9ea-50c12313086f.filesusr.com/ugd/87ad98_7bdf15d051654fc8a9f5fa61b97b70c9.pdf?index=true
    • https://949217f6-ecfc-4a1b-8806-967b2a145102.filesusr.com/ugd/b08fd2_534a06b80f014833a4bbcd18c1bebc76.pdf?index=true
    • https://32cf4326-ba62-484c-a3ca-05d02c2dd2e5.filesusr.com/ugd/0b46e6_53252ce3d67c463cb9b078870c215d29.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fd4e698-55ec-4b93-9e17-7fca6e5d930b/how_to_delivering_your_speech.pdf
    • https://627f215e-41ba-4aa4-9906-5f9f9d117739.filesusr.com/ugd/8ab72e_29a22ebc77f14f55af4f6235df546f1c.pdf?index=true
    • https://s3.amazonaws.com/zaxawetawupo/audio_technica_at_lp120_usb_cartridge.pdf
    • https://uploads.strikinglycdn.com/files/f34278ad-e99a-4a89-8e7e-082ee0e55495/37297599442.pdf
    • https://uploads.strikinglycdn.com/files/3e687a94-0d82-4181-a817-ed1eacb072a6/lejowulugovoxekumitutu.pdf
    • https://5a2ada08-5b6c-402a-b0df-3636415b461e.filesusr.com/ugd/434ae6_88bd9aaa4cc84446acb9bf946d4d6de8.pdf?index=true
    • https://s3.amazonaws.com/satulibaren/black_mart_apk_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efaf.bin
47ad86daa8cb7f8f215b573b57b7ed2e8b562e1132e376250ab27387f0762c5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFAF 5276 bytes
font_01_sfnt_off000101b6.bin
59b84400db103eaa12234b5583df193981ee92ddd3356afb5ba54b22807d9231		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101B6 10808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.