Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c5166f07671b155…

MALICIOUS

PDF

77.2 KB Created: 2021-05-12 18:47:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6d5db16a599bf6dc1f24b4d2fc249a0 SHA-1: e7537c760c45ef494ff79756d4f002ae0967f5bf SHA-256: 0c5166f07671b1555001de17f955f300dc7839772aaf89fb335bb400bf6e9ef4
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. The document body, though heavily obfuscated, contains references to a 'Linux administration' guide, suggesting a lure. The presence of numerous external URIs, including one pointing to 'seumenha.ru', indicates an attempt to redirect the user to a malicious site or download further content. No scripts were extracted, but the PDF structure and external links are indicative of a malicious document delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=linux+administration+a+beginner%2527s+guide+sixth+edition+pdf
    • https://static.s123-cdn-static.com/uploads/4388814/normal_5fe4d40193c02.pdf
    • http://wugumonisukanib.sportsontheweb.net/google_balance_sheet_2020.pdf
    • http://mopowataxix.medianewsonline.com/vipixurisomolikogefepikog.pdf
    • http://keluzizizeroki.getenjoyment.net/cuales_son_los_valores_familiares.pdf
    • https://static.s123-cdn-static.com/uploads/4389821/normal_60073e3ad0794.pdf
    • http://weridif.medianewsonline.com/convert_to_word_document_for_editing_free_online.pdf
    • https://cdn-cms.f-static.net/uploads/4388424/normal_60535892b2d45.pdf
    • https://static.s123-cdn-static.com/uploads/4466140/normal_60072da498a37.pdf
    • https://cdn-cms.f-static.net/uploads/4409609/normal_6010836fceedf.pdf
    • http://gikepofazanapol.mypressonline.com/piwuv.pdf
    • https://cdn-cms.f-static.net/uploads/4468534/normal_6058d5a6ac5e5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d429d46a-6203-486b-8c9d-ede5597e1383.filesusr.com/ugd/419b00_63f4aff196014f4a8258452de5eaf4c3.pdf?index=true
    • https://f77c8dad-41d7-4a8f-8d8d-c05149a3a236.filesusr.com/ugd/36d413_b27839fbde0e48aa9b382556a95dcc90.pdf?index=true
    • https://uploads.strikinglycdn.com/files/49c6dd6f-042b-47f3-bf9d-440b49cf9f53/laguzazomege.pdf
    • https://uploads.strikinglycdn.com/files/8ace7ac7-210b-4a92-b954-ec22bad661e2/theoretical_framework_in_nursing_research_examples.pdf
    • https://uploads.strikinglycdn.com/files/db4533de-ac0e-4a17-ab53-2ac6e3b1b47d/mental_health_recovery_model_framework.pdf
    • https://ac685e6e-6442-44c0-91a1-b3a367e79ef2.filesusr.com/ugd/ce77c6_d9fb629a987d4a8aaa3c65d220b82fee.pdf?index=true
    • https://ec679cc6-872a-45a8-b2fd-b1bc8f6ddb77.filesusr.com/ugd/d1d005_63134d7ce40b497ab11002c3a75eabaf.pdf?index=true
    • https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_539df7ae6f794e3a9b758359d255bf38.pdf?index=true
    • https://a2876ee3-c470-454a-91e2-e108d831033a.filesusr.com/ugd/e8dba5_2f2ec77bde354438a8e2cc5dd9e7d3da.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bd22a1e4-7075-48c6-88f9-b9f8909ab0e4/tanuboronuzovinarapugi.pdf
    • https://171e2b11-24ea-4535-acac-f971ec821c4b.filesusr.com/ugd/a07927_9987254441454c9cbe222aaad6007f9b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bafea770-ca8f-4f72-83a0-f2a3ade1a468/44240519123.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb2e.bin
e560b2adef57975444846a11950151f8f2716e2d7d5a89aedbfeadd9b0ebb54c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB2E 5608 bytes
font_01_sfnt_off0000fe21.bin
72d2ad4ba732b0263b70477cd0d6c492e92e850d6a2e15b09274635c9f6f7d77		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE21 11348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.