Malicious PDF — malware analysis report

Static analysis result for SHA-256 13a0b505c94d3cfb…

MALICIOUS

PDF

98.9 KB Created: 2021-06-08 16:26:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7cb269846f6f5b3c943cde64cfbe5229 SHA-1: adf52025d5c04cfd8af7a10780ebe92efcaaa7ae SHA-256: 13a0b505c94d3cfba3b85301b1138f98e575ae0d75bf3cbde2d2905d9693a88d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, characteristic of a link farm designed for SEO manipulation or to distribute malicious content. The primary external URL observed is `https://synerhu.ru/pbw?utm_term=th9+bases+2020+%253B+5000+%253B++%253B++%253B+Low+%253B+0`, which likely serves as a gateway to further malicious sites or payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=th9+bases+2020+%253B+5000+%253B++%253B++%253B+Low+%253B+0
    • https://cdn-cms.f-static.net/uploads/4410000/normal_6009c00fb5565.pdf
    • https://static.s123-cdn-static.com/uploads/4368237/normal_5fc8eb369bff5.pdf
    • https://netopanuneju.weebly.com/uploads/1/3/4/4/134493403/xefejenepujojatuf.pdf
    • https://cdn-cms.f-static.net/uploads/4417329/normal_605677020dac3.pdf
    • https://mifitulu.weebly.com/uploads/1/3/4/5/134521308/811247bff32.pdf
    • https://cdn-cms.f-static.net/uploads/4379371/normal_6061fa363846d.pdf
    • https://kerixagagunusuz.weebly.com/uploads/1/3/0/7/130776265/nefabijo.pdf
    • https://cdn-cms.f-static.net/uploads/4366337/normal_605dc61d53727.pdf
    • https://pasetesosetoje.weebly.com/uploads/1/3/0/7/130775590/vegikupijiwemuwod.pdf
    • https://static.s123-cdn-static.com/uploads/4450628/normal_5fff77d999d24.pdf
    • https://cdn-cms.f-static.net/uploads/4394077/normal_60156b715f908.pdf
    • https://puxipevabama.weebly.com/uploads/1/3/4/3/134308905/172195.pdf
    • https://cdn-cms.f-static.net/uploads/4378151/normal_6033221c8b568.pdf
    • https://static.s123-cdn-static.com/uploads/4407733/normal_6003389954550.pdf
    • https://cdn-cms.f-static.net/uploads/4415962/normal_6009c0e443f0d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://zowonixepor.pbworks.com/f/gizorabifivogipejupobama.pdf
    • https://uploads.strikinglycdn.com/files/1d30957b-9117-4da2-83eb-afd82911f6cd/1514751355.pdf
    • http://gogoporiwo.pbworks.com/w/file/fetch/144465663/46610519668.pdf
    • http://pulixojesu.pbworks.com/w/file/fetch/144513642/pabusobur.pdf
    • http://xutosop.pbworks.com/f/dimerodev.pdf
    • https://uploads.strikinglycdn.com/files/7162ee59-1346-488a-8770-dc54683ad4ff/59636005473.pdf
    • https://uploads.strikinglycdn.com/files/ba07b0f3-304f-4321-98e2-d94c71c40ccc/introduction_to_project_management_quiz_answers.pdf
    • https://uploads.strikinglycdn.com/files/bd764448-aae2-4124-b2dd-9f7f9abf53f9/effective_communication_methods_in_healthcare.pdf
    • https://uploads.strikinglycdn.com/files/3db1d576-c67e-45ce-be5c-6e2eece998ba/best_robot_vacuum_for_pet_hair_and_hardwood_floors_reddit.pdf
    • http://rugewenuzed.pbworks.com/f/riwumi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013828.bin
9ceda7fdbf81cba8b4a6c445475d1ce88cee05f5052d45bad15d837b92d59d03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13828 5040 bytes
font_01_sfnt_off0001496d.bin
9759a57693d188aad2bd5b60d03f9f8902a4d56534ff4fd2a690b004b7e3f359		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1496D 11180 bytes
font_02_sfnt_off00016f9f.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F9F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.