Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fb5aaed5c173df7…

MALICIOUS

PDF

72.6 KB Created: 2021-05-21 13:58:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ffa5d0a798ba020365a0d78d86f55766 SHA-1: ecb079bf271b8bca9c56427b1e5e71b26d5df677 SHA-256: 0fb5aaed5c173df7154747f3c415b20faecf9751dc88188b8382fc7a59ce9b36
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The file contains a large number of external links, many pointing to S3 buckets and Weebly-hosted PDFs, suggesting a link farm or SEO poisoning tactic. One of the primary URLs, https://jacksth.ru/strik?utm_term=bespoke+shoemaking+pdf, appears to be the main lure. While no scripts were explicitly extracted, the PDF structure and the presence of external links suggest it may leverage embedded JavaScript for malicious actions, such as redirecting users to phishing or malware download sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=bespoke+shoemaking+pdf
    • https://toxupuxuforiri.weebly.com/uploads/1/3/5/9/135966975/00e01.pdf
    • https://cdn-cms.f-static.net/uploads/4368964/normal_60414b3fe8351.pdf
    • https://tikoresi.weebly.com/uploads/1/3/0/7/130775690/59b962d1e87645c.pdf
    • https://sizuginoten.weebly.com/uploads/1/3/4/4/134490660/jujorukipi.pdf
    • https://static.s123-cdn-static.com/uploads/4367950/normal_5fca563c0c877.pdf
    • https://cdn-cms.f-static.net/uploads/4446270/normal_5fd683bc4d96d.pdf
    • https://cdn-cms.f-static.net/uploads/4457876/normal_605dc13936d94.pdf
    • https://roxobirunuj.weebly.com/uploads/1/3/4/0/134096027/simijinabisi-xizetawuzolego-lojir-xataxexat.pdf
    • https://cdn-cms.f-static.net/uploads/4393209/normal_6060843a45d60.pdf
    • https://cdn-cms.f-static.net/uploads/4450353/normal_60222b2f5be9c.pdf
    • https://static.s123-cdn-static.com/uploads/4488317/normal_5fcbae5146133.pdf
    • https://budasanufewe.weebly.com/uploads/1/3/5/3/135323580/liweliz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/davolazupivowi/best_formal_dress_shops_adelaide.pdf
    • https://s3.amazonaws.com/suxuzubojut/desi_desi_na_bolya_kar_song.pdf
    • https://s3.amazonaws.com/mexesazaxasa/28198091737.pdf
    • https://s3.amazonaws.com/petubapizo/72585592819.pdf
    • https://s3.amazonaws.com/divikufifir/best_wordpress_hosting_for_multiple_sites.pdf
    • https://s3.amazonaws.com/tosego/jack_reacher_books_best_price.pdf
    • https://s3.amazonaws.com/pulujolatepuv/abu_garcia_silver_max_20_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddb8.bin
bf4bce2ba1a87b9f2387259401591ecc5d4cd60b508832db0f3a8a00bdf4a7a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDB8 5440 bytes
font_01_sfnt_off0000f01e.bin
e2fb81f5a242d66b788da2b1eedcfd3e6d63646e38dfcb9b7d5f68a769ee735c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF01E 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.