Malicious PDF — malware analysis report

Static analysis result for SHA-256 129a275a82afb718…

MALICIOUS

PDF

84.6 KB Created: 2021-03-30 05:04:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 402e15cf6ea8002d15129e3096e630b7 SHA-1: b26ecd7ec89e64364b63d1f5d78a250be7536323 SHA-256: 129a275a82afb718229b607f4bca907abf07da58be77727346bffede909d7258
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a suspicious external URI, indicating a likely phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, classifying it as a phishing trojan. The document body, though heavily obfuscated, appears to be a lure related to microwave repair, designed to mask the malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+change+bulb+in+kenmore+microwave
    • https://cdn.sqhk.co/busosuwik/UQpAmGx/78394742596.pdf
    • https://cdn-cms.f-static.net/uploads/4369343/normal_6041f5f966a97.pdf
    • https://static.s123-cdn-static.com/uploads/4369907/normal_60053742ac71f.pdf
    • https://cdn.sqhk.co/lunajevon/NheHW6C/medodoni.pdf
    • https://cdn.sqhk.co/koditisalupe/eifhe9J/my_little_pony_magic_princess_mod_apk_2019.pdf
    • https://cdn-cms.f-static.net/uploads/4472208/normal_6018809b9f18d.pdf
    • https://cdn.sqhk.co/tefozakozup/igOibif/basketball_stars_game_download_for_pc.pdf
    • https://cdn.sqhk.co/puzadowoke/Fkgiie2/lotozakokomiwapeg.pdf
    • https://cdn.sqhk.co/dibirolinu/WhccFif/world_war_ii_arena_abbreviation_crossword_clue.pdf
    • http://mekomob.getenjoyment.net/todolarizadiz.pdf
    • https://cdn-cms.f-static.net/uploads/4476146/normal_602e22c3148b2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vexabimumemig.atwebpages.com/best_political_philosophy_journals.pdf
    • https://ea74ff18-003d-4094-8454-8d7e15e33abb.filesusr.com/ugd/50de67_d049b435399c4cf7abd6f51753ce17b6.pdf?index=true
    • https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_44bd41b50fbd4a5a980809cb92cbbb66.pdf?index=true
    • https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_e83ab3fbd2234cad8884804114e947c2.pdf?index=true
    • https://47ab6ce1-aee6-4086-a8e7-31fe393d2411.filesusr.com/ugd/afbef4_dda4ba3189e14688a51ef69bf2e87bfe.pdf?index=true
    • https://fa886832-b9e3-4ce5-a98c-97da2614721f.filesusr.com/ugd/9f8050_50d4eee86a964f09b36be7c373cee8c2.pdf?index=true
    • https://45884d5c-3037-4093-99f9-9b9c28a1e9f0.filesusr.com/ugd/3721b1_01b2bb169c9944bdbfb6a4322ee7a7c6.pdf?index=true
    • https://cf3b4464-af4d-4b9f-89ff-4eeb4635985b.filesusr.com/ugd/e2f197_0d304e933a254927b6e2dac59c691b36.pdf?index=true
    • https://be1d055c-b83b-422e-9e68-1bf13cef350c.filesusr.com/ugd/5b1e3c_a3864b104e8d4d3aa5658b6f1b3c99ea.pdf?index=true
    • https://45ed8376-e832-497f-ab20-0a31924dc5db.filesusr.com/ugd/4b7290_50f2376b59554aa98dda1464e60f8a3c.pdf?index=true
    • https://66f9c2bc-82a6-463d-9ccd-9c94d3d8805e.filesusr.com/ugd/b361c6_18a5577a14d2419f8d64176d41a47d26.pdf?index=true
    • http://dijipola.onlinewebshop.net/pdf_ebook_reader_app_iphone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d20.bin
f6da511682f1b06c12fa564949ec6783bf46c654ff5a42485a1b06be6402803b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D20 5352 bytes
font_01_sfnt_off00011f47.bin
6fe1f328783be9fed95f172381ef62142782b221c95683f7d28a20de2d5ddbf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F47 11180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.