Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e62d6c670c0d4bd…

MALICIOUS

PDF

79.2 KB Created: 2021-03-22 02:06:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16cc32285b7fbff8b3b94c9360fb86d9 SHA-1: 1f7a08ed651c1e2ffbe3ee989329d72ab686fae3 SHA-256: 0e62d6c670c0d4bd8ca450023aa4ead3e23a5a7dfe891d224944d8092c93f2c4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many hosted on Weebly, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, contains a title related to 'Best linux distro 2020 for security' and references wkhtmltopdf, indicating it's likely a lure to drive traffic to malicious or scam websites. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=best+linux+distro+2020+for+security
    • https://danaguvofuboxi.weebly.com/uploads/1/3/5/4/135401293/56031b90d31.pdf
    • http://natnat.fun/lufenipowipodopizuxobebooibz0.pdf
    • https://judiwexip.weebly.com/uploads/1/3/4/5/134517798/suxexikuwu_sosilorunuketig_zakavesokutu.pdf
    • http://ecoservice-vlad.ru/85204724632maboq.pdf
    • https://jijajaxasivezix.weebly.com/uploads/1/3/4/5/134588510/gejixe_ruxoredizovet_tavazagiveva.pdf
    • https://static.s123-cdn-static.com/uploads/4465905/normal_60076fcc85f78.pdf
    • https://filogeruziwumu.weebly.com/uploads/1/3/1/4/131406947/wurono.pdf
    • https://cdn-cms.f-static.net/uploads/4422382/normal_5fd1b7d7b9f03.pdf
    • https://xitemexum.weebly.com/uploads/1/3/4/3/134311382/nirezuj.pdf
    • https://static.s123-cdn-static.com/uploads/4401716/normal_60072bdd5c7a6.pdf
    • https://dizegovonaziluz.weebly.com/uploads/1/3/4/8/134881707/damikebep-megisukid-popaf.pdf
    • https://faturigazed.weebly.com/uploads/1/3/4/8/134859690/4726419.pdf
    • http://psylath.com/41844957268cg2cs.pdf
    • https://nijasofefovo.weebly.com/uploads/1/3/4/7/134719995/numuron.pdf
    • https://static.s123-cdn-static.com/uploads/4369645/normal_5fd038e08a74c.pdf
    • http://nyvelsets.online/96003366866oe5t4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cc10414b-11e4-4601-a9a6-e99b00afb56b/what_two_factors_affect_the_density_of_seawater.pdf
    • https://uploads.strikinglycdn.com/files/62230db8-434d-4519-9e97-f7b99504c6ac/joviloz.pdf
    • https://uploads.strikinglycdn.com/files/6017244f-92c9-4e75-926c-c655dfe4a9dd/25667208192.pdf
    • https://uploads.strikinglycdn.com/files/d46432b4-492b-43db-b3e3-9d3fb6f9d81b/how_did_zeus_interact_with_humans.pdf
    • https://uploads.strikinglycdn.com/files/8a95db25-31c2-49aa-b9a4-689621c02046/80417524145.pdf
    • https://uploads.strikinglycdn.com/files/6c201fe0-0ad5-45d7-9051-6f908d2e0818/how_long_do_you_roast_a_turkey_breast_in_a_convection_oven.pdf
    • https://uploads.strikinglycdn.com/files/e33a2c93-6e30-47f8-bf6b-fc55f4886646/mgma_physician_compensation_2020.pdf
    • https://uploads.strikinglycdn.com/files/6e2f1ff1-50d5-4fa3-8fb2-a2eaa1b18c70/remington_700_sps_stainless_223_review.pdf
    • https://uploads.strikinglycdn.com/files/0f3fbb60-3294-4f23-a211-ec36d3fbd2f2/how_to_get_a_beginners_permit_in_south_carolina.pdf
    • https://uploads.strikinglycdn.com/files/b1b6d2dd-2f6f-46c7-b9c0-eabb9274a3cc/82667728848.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f88d.bin
2db730078faabcedab76cbfb40a561356a3e1f6ee8c1cde61f24edce6334b17a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF88D 5300 bytes
font_01_sfnt_off00010ab8.bin
37526e2d92ed7cb0f7dcda089fa45f9338c3edd7e6db8ff9695cb8847bc76632		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB8 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.