Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c30fa66506783c8…

MALICIOUS

PDF

75.8 KB Created: 2021-03-08 06:13:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92c42150d5cf7eb83fb063e5b6cfcf03 SHA-1: 26066d416e5831c1653e48a3eddaed8854636ff2 SHA-256: 0c30fa66506783c817fa9965e5d683e2ae49dd92196c403223e9e3be7eac9394
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a suspicious domain that appears to be part of a link farm. ClamAV and ML classifiers have identified this PDF as malicious, specifically flagging it as a phishing or trojan. The embedded content, though heavily obfuscated, suggests an attempt to disguise the file as a 'control installer' to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/aws?utm_term=2gig+go+control+installer+code
    • https://solazipakiku.weebly.com/uploads/1/3/4/5/134509697/850613.pdf
    • https://nobuzuza.weebly.com/uploads/1/3/4/7/134757083/1f72e65cfafc.pdf
    • https://widijozitumude.weebly.com/uploads/1/3/4/6/134688085/6254779.pdf
    • https://fivilogavizizov.weebly.com/uploads/1/3/4/4/134446089/581280.pdf
    • https://jupavovol.weebly.com/uploads/1/3/4/3/134314217/junigi_tuvusebekowodev_xanekemo_rivuxerosazo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://989eff4c-946f-4221-9817-1a8d60f2082d.filesusr.com/ugd/7edf14_dc0501d3e356442db16c18d5e0ddf9bc.pdf?index=true
    • http://nomufasawanokez.epizy.com/wezalunexojidasem.pdf
    • https://e590c0d9-b694-44fb-9862-47327b30d8b0.filesusr.com/ugd/89363e_ada61a83e816415f891797a2fc901261.pdf?index=true
    • https://07d68bf2-0661-47e2-9ffe-eae068a071af.filesusr.com/ugd/fef806_cccf19f235664afabdea5b052ea4116c.pdf?index=true
    • https://4cd5eafb-d261-4666-a528-29b55b1676c1.filesusr.com/ugd/8dde66_c6399166e574461fb77e22d7394ee958.pdf?index=true
    • https://uploads.strikinglycdn.com/files/16cd5c70-0ac0-4d22-8850-6b1e80418b77/yamaha_rx-v471_specs.pdf
    • https://s3.amazonaws.com/jivala/kazowibab.pdf
    • https://s3.amazonaws.com/bepukuba/pneumonia_adalah_2017.pdf
    • https://5b2b9875-3923-4577-9ef6-0527498c95e7.filesusr.com/ugd/4e6dd5_4a42ee749c2b421c8c349ceb29cb410a.pdf?index=true
    • https://s3.amazonaws.com/wazorixekunafob/alliance_leveling_guide_classic_wow.pdf
    • https://8ee4d174-735f-4cd7-9396-c3a65dbcc337.filesusr.com/ugd/5ac313_29a70002b18f4b34b4ffff0050270b5c.pdf?index=true
    • http://mafovipuvawo.epizy.com/56570181510.pdf
    • https://s3.amazonaws.com/libusamagowuvo/kindle_paperwhite_supported_formats.pdf
    • https://s3.amazonaws.com/nemafu/id_card_template_images.pdf
    • https://uploads.strikinglycdn.com/files/45c83f5e-ac1c-49c5-89c2-0372466bdf0b/runaway_alice_munro_quotes.pdf
    • https://uploads.strikinglycdn.com/files/2e3d5dcd-eee1-486c-a65c-c518d44b23e4/xigexakutagegumi.pdf
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_d33ceaa5c73244cc906aa77a14c7986a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb99.bin
5d2a69c2c1b57471da48caf74fdb809aefadde950d59c44b3800ec944384bf5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB99 5144 bytes
font_01_sfnt_off0000fd2a.bin
7d16839dd4bb4370e5c1159695e2b67a9a12e49c55ea574f314da75c0642c6ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD2A 10876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.