Malicious PDF — malware analysis report

Static analysis result for SHA-256 09d34d3c5dc924e0…

MALICIOUS

PDF

95.9 KB Created: 2021-05-23 03:29:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0010d7d60dced7fe7310c53fb8eec80c SHA-1: f39600e6828426a17d95f106de0b5b8591e334f6 SHA-256: 09d34d3c5dc924e0a619937074abf4d385d8ce537a284b9a1918c6d453814de6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one critical heuristic identifying it as a link farm. The primary malicious URL, 'https://xezojetit.ru/strik?utm_term=50+tons+mais+escuros+livro+resumo', is likely used to redirect users to a phishing or malware-hosting site. ClamAV detection and ML classification further confirm its malicious nature, specifically flagging it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=50+tons+mais+escuros+livro+resumo
    • https://kikuwigew.weebly.com/uploads/1/3/1/4/131407235/2943225.pdf
    • https://nofuxufemi.weebly.com/uploads/1/3/2/6/132681390/b8ac9ad8b.pdf
    • https://pebabole.weebly.com/uploads/1/3/4/6/134698512/banitelojigepun_kejufadoxutaba_dimavosipubi_pesiwoxiroja.pdf
    • https://mivopolidenez.weebly.com/uploads/1/3/4/3/134349928/3995045.pdf
    • https://rawavofim.weebly.com/uploads/1/3/1/4/131452817/7cf28d4e.pdf
    • https://xidazujagavoza.weebly.com/uploads/1/3/1/4/131453269/giboku.pdf
    • https://komuwewolidixat.weebly.com/uploads/1/3/4/8/134871085/880805.pdf
    • https://luxituwane.weebly.com/uploads/1/3/1/8/131859527/tisozejosepidit-mevosejuj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/92746fab-f329-4e70-b8bb-d7ec8162000e/camping_near_albert_pike_recreation_area.pdf
    • https://uploads.strikinglycdn.com/files/25c225e8-87ee-428e-822e-4fdf597dd6eb/e_myth_revisited_book_summary.pdf
    • https://s3.amazonaws.com/pusori/zisew.pdf
    • https://uploads.strikinglycdn.com/files/c76ba280-c515-48c5-bcc4-c5507e4ecec2/final_fantasy_10_remaster_strategy_guide.pdf
    • https://uploads.strikinglycdn.com/files/d32685c3-7126-41bf-9a9b-dec87af806ae/how_to_watch_news_live_on_youtube.pdf
    • https://uploads.strikinglycdn.com/files/5d0c969b-b5ed-4d0a-8569-d869fe684b70/is_alcatel_3v_a_good_phone.pdf
    • https://uploads.strikinglycdn.com/files/e4863b9c-3bfd-4ce4-a285-f3949177e45d/top_paw_double_door_crate_instructions.pdf
    • https://uploads.strikinglycdn.com/files/26569e9d-65ba-4c20-9184-b5c05520ad44/weed_eater_22_inch_lawn_mower_oil_type.pdf
    • https://uploads.strikinglycdn.com/files/b03146b8-66a3-43a9-bcf8-013ad7bdc89f/gitidibokopenup.pdf
    • https://uploads.strikinglycdn.com/files/4993f5e4-c495-4270-9048-b878a00795d1/11463129727.pdf
    • https://uploads.strikinglycdn.com/files/ba4c9f85-da02-4eaf-9c68-0448f73f4c6f/can_you_get_your_license_at_16_in_south_carolina.pdf
    • https://uploads.strikinglycdn.com/files/c3a79986-d181-42bb-818d-eaca328d38cb/17845320556.pdf
    • https://uploads.strikinglycdn.com/files/a2a3cb18-0701-4a79-b203-f4f7fc62f8f3/weduvitanip.pdf
    • https://s3.amazonaws.com/bupijila/bihar_tet_exam_form_2019.pdf
    • https://uploads.strikinglycdn.com/files/e473d857-1665-4740-8c65-2a626119e87d/how_to_connect_goflex_home_wirelessly.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010843.bin
dded1f420840a81d877377d3dce102e984727f65576b58b6c23efc8673792b48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10843 5056 bytes
font_01_sfnt_off00011949.bin
1182553af4e4e1d4f08dc5c53a41ba3cf7bb24133579164eb638a84c8e765df2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11949 2012 bytes
font_02_sfnt_off0001227c.bin
42e01155c45c341e501c66a6cbe803e8a46bba45a35d30ebc04c03f5cff53ad8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1227C 12976 bytes
font_03_sfnt_off00014a33.bin
6ed258985af9614f66946f4f2ba021219d0ebd277ed84954711dfceb905e54c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A33 16856 bytes
font_04_sfnt_off00016180.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16180 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.