Malicious PDF — malware analysis report

Static analysis result for SHA-256 119c55ffbeb5eba2…

MALICIOUS

PDF

91.4 KB Created: 2021-04-25 01:35:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d81672fa9662c75104ec1b32f93ad1a5 SHA-1: 5fdf937ae81dac1483a23ad437754c52e039b5e0 SHA-256: 119c55ffbeb5eba2e228cbd8ebc44ce6da48d08c5dba4a4237a530e7b998dcae
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are obfuscated or use link farms, indicating a malicious intent to redirect users to potentially harmful websites. The ClamAV detection and ML classifier strongly suggest this PDF is malicious, likely a phishing or malware distribution lure. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of techniques used to deliver second-stage payloads or conduct phishing attacks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=hoover+whole+house+elite+pet+manual
    • http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
    • https://wejumarokurefa.weebly.com/uploads/1/3/0/7/130776247/b401003b3d.pdf
    • https://rilavowa.weebly.com/uploads/1/3/2/7/132740415/xupeluvolasafo_voxexoziwuluxij.pdf
    • https://ramujodavuratot.weebly.com/uploads/1/3/4/6/134667495/jelilovigi_ritemizonoxebu_julisop.pdf
    • https://cdn.sqhk.co/kunimanujage/by7kDhc/f1_mobile_racing_controller.pdf
    • http://mylic.ru/tri_tronics_classic_70_g2_collarjxtlj.pdf
    • http://mexuloxuxinona.iblogger.org/gavifasekuparavem.pdf
    • https://cdn.sqhk.co/kifuzopeko/giajfgf/gogumawamogepomuk.pdf
    • https://cdn.sqhk.co/jirudumom/jitjaGH/scp_096_modest_game_download.pdf
    • https://cdn.sqhk.co/repudodo/FphbLhf/kodera_wire_stripping_machine.pdf
    • http://fherixq.com/buxutigiwedekixesatonuzjdo3.pdf
    • https://cdn.sqhk.co/lexuxeza/gU0BEaw/mazixukuredopanemonis.pdf
    • https://cdn.sqhk.co/zifeduwa/hjdtRhi/moto_g_power_vs_pixel_4a_5g.pdf
    • https://cdn.sqhk.co/lomasamube/Qgcjeie/balls_barber_shop_brooklyn_ny.pdf
    • http://zuwigef.22web.org/sajumozig.pdf
    • https://bizitodavil.weebly.com/uploads/1/3/4/3/134321392/ronabigefabori.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a1b876fd-e98f-4594-996d-fc523792ae9e.filesusr.com/ugd/efcbf0_be18523a91ec4bfc93a10f4e67ce85ad.pdf?index=true
    • https://ecfc1f44-6648-4072-bff5-6ee4adcfbe4f.filesusr.com/ugd/e5a943_d4222afe37804e8f8c407db43cdfc7ef.pdf?index=true
    • http://fobegakolu.epizy.com/watch_its_kind_of_a_funny_story_online.pdf
    • https://7054f9d6-44ea-4b6c-8535-0d04e7cb9957.filesusr.com/ugd/963b03_9c1f142eaae14a58a028c0698a8b604d.pdf?index=true
    • http://munakazoxan.epizy.com/airport_city_hacks_android.pdf
    • https://8c56b32b-3398-45d6-9c0b-b55146621f16.filesusr.com/ugd/6924eb_f7fbc09adfa64b8ab9df4600f1103ae1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000121aa.bin
56c3c3aa74b8a8a7956f5279fcbcce19d2841247898b597f7d2f22f76c75fdc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121AA 5172 bytes
font_01_sfnt_off00013320.bin
6235444356425dc2bb66475c04bef73762b1edca8166e06947a15f1067107b26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13320 13820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.