Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bba1a5117e7923f…

MALICIOUS

PDF

81.9 KB Created: 2021-04-10 14:53:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ded3fd850fafe437f1cf0eb8bcaba82 SHA-1: ae45edba68dfdcc128d29f243c32506d2bff69b2 SHA-256: 0bba1a5117e7923fa6651c4b4506bef7d71187ee7f3b3eed34503a523fb3ba11
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The primary URL, https://jumiwimov.ru/strik, is presented in a context suggesting it's a search result, likely a lure for users seeking information. ClamAV detection and ML classification strongly indicate malicious intent, specifically phishing and trojan activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=how+do+i+enable+keyboard+shortcuts+in+word
    • https://pafovawulawagi.weebly.com/uploads/1/3/4/5/134581771/2562230.pdf
    • https://pagopolekabob.weebly.com/uploads/1/3/4/3/134305888/lugemumipa.pdf
    • https://cdn-cms.f-static.net/uploads/4447626/normal_602f375ba9ab7.pdf
    • https://kakituku.weebly.com/uploads/1/3/4/5/134589995/8296721.pdf
    • http://rukakev.iblogger.org/bow_tie_cinemas_majestic_6.pdf
    • https://nitomono.weebly.com/uploads/1/3/1/4/131454496/tokagure_givubutulesep_xapudemakarubul.pdf
    • https://miroguwitofenev.weebly.com/uploads/1/3/5/9/135958286/1260277.pdf
    • https://cdn-cms.f-static.net/uploads/4413587/normal_6040fd1cbb70f.pdf
    • https://cdn-cms.f-static.net/uploads/4419847/normal_602df9295c45a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://litopojijerel.epizy.com/wwe_summerslam_results_grades_bleacher_report.pdf
    • https://s3.amazonaws.com/remuv/37689868777.pdf
    • https://s3.amazonaws.com/numunenoji/what_size_tires_are_on_a_2013_ford_focus.pdf
    • http://zudagiropa.rf.gd/silexegitorogimegesumo.pdf
    • https://s3.amazonaws.com/begijufadi/minority_report_tv_show_fanfiction.pdf
    • http://sojidalome.rf.gd/governance_and_public_policy_css_books.pdf
    • http://pamiwumewamem.epizy.com/lokibogup.pdf
    • https://77ac2d45-d533-4b4b-a85c-01e81860bff9.filesusr.com/ugd/7f1ad7_85bc8eac89014475a7d72122449c73f6.pdf?index=true
    • https://12c9c681-cafc-4f88-93da-cb6f471fd49a.filesusr.com/ugd/f09a9d_e369496ea2404769914aa92f8b02f5c0.pdf?index=true
    • https://s3.amazonaws.com/juzinaramip/reteaching_activity_3_infancy_and_childhood_worksheet.pdf
    • https://s3.amazonaws.com/regufojalojaza/piwawikerovajobabofanefi.pdf
    • https://e3055f73-6236-423b-b810-4bc1a15f300f.filesusr.com/ugd/fa12d1_4cffa4bdeaa243dc9c32d6c0c6bd8f7d.pdf?index=true
    • https://39c10a3a-92c6-412a-a1bb-b8a1fc48fbc4.filesusr.com/ugd/259099_ce16463336bc4ee193b272f5d1d59728.pdf?index=true
    • https://f0198b83-f3fe-41b4-8315-bacd7eabb238.filesusr.com/ugd/2b3f46_6df48f0576214c5c96f7abe4413067f2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4d4.bin
d633490561042b813ddd23920c8b43505a99b7dca9ed282f7dd74673dc501d31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4D4 5268 bytes
font_01_sfnt_off000106c2.bin
74a91df7647e3d79f910877e87faced1789549bc7ab83ea37a1f07aa852287f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106C2 10888 bytes
font_02_sfnt_off00012be4.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BE4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.