Malicious PDF — malware analysis report

Static analysis result for SHA-256 105c891a6e1bf100…

MALICIOUS

PDF

79.9 KB Created: 2021-04-24 18:25:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: ec6f0776dc2b7ca2c787c3cc345fee22 SHA-1: db9bc7615f9bdd30199a3845f8d0292e3d971f7a SHA-256: 105c891a6e1bf100b38a8fbfda488809f0226d054ef7eeb3e3eb32421bf21cc5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=learn+arabic+language+through+english PDF link annotation
    • https://cdn.sqhk.co/fabokofe/iayGiee/icy_hot_cream_walmart.pdfIn PDF document text
    • https://xaleratugigajij.weebly.com/uploads/1/3/4/6/134631249/c916964432.pdfIn PDF document text
    • https://cdn.sqhk.co/pumafuki/eghnhdC/kudilijaxemixe.pdfIn PDF document text
    • https://zavifojixu.weebly.com/uploads/1/3/3/9/133997579/9340568.pdfIn PDF document text
    • https://vuvuzuvikedatun.weebly.com/uploads/1/3/4/5/134529562/wogijalazamib.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://61069a5e-3c5f-4884-a3c7-8c7552058b74.filesusr.com/ugd/0789d5_3a091bc5e3b149fe83f76b8c46077128.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xezujuxoz/whatsapp_video_call_app_for_pc.pdfIn PDF document text
    • https://s3.amazonaws.com/ruzumeb/gaditupujixumukavoxodez.pdfIn PDF document text
    • https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_381d22c2b88046e3b35f9dedbcf1ee34.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tozaduliwubega/xuzubesuzigawigowetika.pdfIn PDF document text
    • https://s3.amazonaws.com/sikuva/bill_nye_sound_worksheet_answers.pdfIn PDF document text
    • https://f495c71d-628d-4070-9a3d-b699cbb46ba4.filesusr.com/ugd/d99ef3_f45f6e75e3814ce588978e1e03adbc07.pdf?index=trueIn PDF document text
    • https://3ea853e4-7f2b-4fb0-9229-b04907a1e321.filesusr.com/ugd/d94095_5ffa2a87502841b0b543cfad172c79b5.pdf?index=trueIn PDF document text
    • https://e20d271a-53e3-41f9-9180-d6cd5f9fd148.filesusr.com/ugd/6cfc61_7f73378eb0014fa78bc24a230c3a9e86.pdf?index=trueIn PDF document text
    • https://db244590-af71-4c33-bd6e-2f8f55f31281.filesusr.com/ugd/fdab61_cb18ca155b85463792a7521adb7df8b7.pdf?index=trueIn PDF document text
    • https://d5aacb37-8766-4234-9cc8-c2ec3b911aba.filesusr.com/ugd/1e723b_4f175ab9375b42b89df23bb49e74659e.pdf?index=trueIn PDF document text
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_d03d4f39192e45cba2a6d5165955a587.pdf?index=trueIn PDF document text
    • https://042e50b4-45d0-4577-915a-c14d43ab21ad.filesusr.com/ugd/18f527_b7d5b999ea584ff49b12bedabdbec443.pdf?index=trueIn PDF document text
    • https://9f4ad419-87ad-4507-9b23-40b7c7395cc9.filesusr.com/ugd/55478e_224e70923f71450faba1b36f84608a56.pdf?index=trueIn PDF document text
    • https://ab737b70-891a-4a1f-8db9-ee548211cb31.filesusr.com/ugd/ce14f3_2dbc82fcd2074916a11f9bd94c04fe67.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC3A 5144 bytes
SHA-256: 9146324fa44c9b9e4f99d2eb7364562d90a7d8b5751e6af1ffbcc35a8a2dff5c
font_01_sfnt_off00010db2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB2 10604 bytes
SHA-256: dd0a94b1e7294a50889862e12fbc259970e0df6841750a5b9881e474cfcf10f8

Open this report in the interactive analyzer, or submit your own file for analysis.