Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bff56607dbe823e…

MALICIOUS

PDF

76.1 KB Created: 2021-05-30 01:23:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c84edcf683e19e81758424eea8bbafe7 SHA-1: 4b78c12c68d8d9398e0d448f6f50497d40a2d1e8 SHA-256: 0bff56607dbe823e381a838bba43d6358864bae944937672fcf36fa99c7c23ee
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to file-sharing services and potentially malicious domains, indicating a link farm or distribution mechanism. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. The embedded URL and the document body text, which appears to be garbled but contains keywords related to math problems, suggest a lure to a website that hosts malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wb?keyword=problemas%20de%20porcentajes%203o%20eso%20resueltos%20pdf
    • https://wuvipovuzodex.weebly.com/uploads/1/3/4/8/134846945/kedovo.pdf
    • https://rowafitiw.weebly.com/uploads/1/3/4/6/134608100/nopelubaxuxi.pdf
    • https://vemuwusikive.weebly.com/uploads/1/3/4/7/134733059/likezotizopu.pdf
    • https://xemexetizepe.weebly.com/uploads/1/3/6/0/136094173/toxuro.pdf
    • https://jadowusirufire.weebly.com/uploads/1/3/2/7/132740355/fajikazonavuno.pdf
    • https://firuruxuzero.weebly.com/uploads/1/3/7/5/137502241/wixeze.pdf
    • https://pegotovu.weebly.com/uploads/1/3/4/8/134855979/xabupux_suvurodek.pdf
    • https://kowumawadixowiv.weebly.com/uploads/1/3/4/8/134888970/c0c37ae2ef.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/52f9a484-73ba-46a3-baa7-fddab4b99f75/kujiretifizinufikoxil.pdf
    • https://uploads.strikinglycdn.com/files/3f420bf8-7289-41a4-a094-22ee148e9096/how_to_file_a_complaint_against_landlord_in_nyc.pdf
    • https://uploads.strikinglycdn.com/files/b7396ebc-28b8-45e8-a334-c651dfc798f6/pharmaceutical_calculations_quiz.pdf
    • https://uploads.strikinglycdn.com/files/febfeb06-37ed-4313-994c-55a301dacd0f/jupekafamumajekotufizu.pdf
    • https://uploads.strikinglycdn.com/files/c59373be-4595-4370-9ccc-d7bbb093e372/mexejabubanabixu.pdf
    • https://uploads.strikinglycdn.com/files/aa2f3b2c-5022-4b2f-82dc-d11a258c6ca1/gudutukejip.pdf
    • https://uploads.strikinglycdn.com/files/131f05fc-1787-476c-b62e-fda8e29a59d1/what_information_does_an_accounts_payable_aging_report_provide.pdf
    • https://uploads.strikinglycdn.com/files/a2d75981-ccfd-4efc-99f8-787854b605a2/is_montresor_happy_with_his_revenge.pdf
    • https://uploads.strikinglycdn.com/files/4a37dab5-fc65-4cac-88b6-62bee762be43/fagova.pdf
    • https://uploads.strikinglycdn.com/files/136cda9a-38c5-482f-ad5e-577691cc290f/76527730240.pdf
    • https://uploads.strikinglycdn.com/files/2ee5f8a4-e39b-465e-b2f2-e4b055bf8bbc/danby_dehumidifier_with_pump_canada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6ba.bin
0e64fc4d0daf1f733cd2f32e7a9125a79ecf0cfb84183a03845118f9776ebac1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6BA 5684 bytes
font_01_sfnt_off0000f9f5.bin
0ad6ff1aa09e6b7f45aaeb85b49483a0245f0fdf37a2b73af8363c06955a0712		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9F5 12592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.