Malicious PDF — malware analysis report

Static analysis result for SHA-256 145f33a1af31b95b…

MALICIOUS

PDF

78.4 KB Created: 2021-04-02 07:40:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49e0fc1d5349486b72f8e4aa62285903 SHA-1: 18a369572a9319e6b136b999213823c60fe112b2 SHA-256: 145f33a1af31b95b18c490563da53d8a543ec0ed956023890b07452a5a4a6d40
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are disguised as search results for software downloads, indicating a link farm or phishing attempt. The presence of a 'download button' heuristic further supports this. ClamAV detection as 'Pdf.Phishing.Trojan' confirms the malicious nature. No scripts were extracted, but the overall structure suggests a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=faceniff+unlocked+apk+download
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2ea3657d-1c4c-40dd-8491-58aeeb8dc933.filesusr.com/ugd/18a85a_c50e21e5059c46a090f75ba69f2fa2a2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d8847dbb-5d07-4ae4-b5bb-08fc93101f28/how_to_pair_ilive_tailgate_speaker.pdf
    • https://uploads.strikinglycdn.com/files/a85ebd6a-4b35-49e5-b1f8-85a5f80f7f12/warehouse_safety_videos.pdf
    • http://nawugem.epizy.com/coppertone_sport_spf_50_consumer_reports.pdf
    • https://uploads.strikinglycdn.com/files/5127e2d4-1b83-42d1-90e1-c723b251c51a/87074663915.pdf
    • https://d4996ccb-aecf-47c4-aab6-3c4fe022e1b7.filesusr.com/ugd/b7ed05_490d4133657f41759d41f99c06e445b6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/171b7c6f-7411-4878-a9ad-27da4fa62c12/26239339200.pdf
    • https://uploads.strikinglycdn.com/files/8c54460f-95d7-442c-86a9-a13c4e9af69b/xojofo.pdf
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_b2286516c4a94cd383637d7637102b4c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/362e0459-2d44-406a-96ee-a171426820f9/fun_writing_prompts_for_fourth_graders.pdf
    • http://xegukamadoso.epizy.com/auricular_definicion_informatica.pdf
    • http://nenimon.epizy.com/asrm_guidelines_gestational_carrier.pdf
    • https://uploads.strikinglycdn.com/files/3de0edd0-4317-48ff-a42d-5cca671dbd05/en_el_tiempo_de_las_mariposas_pelicula_audio_latino.pdf
    • https://uploads.strikinglycdn.com/files/6177d0b9-6712-4e92-8d1b-9451d0a6ca66/logitech_mk360_vs_mk270.pdf
    • https://uploads.strikinglycdn.com/files/336a2703-172e-47b6-bc89-475382cf87bd/14514962965.pdf
    • https://uploads.strikinglycdn.com/files/2e189517-c04a-48be-99a3-86f8049ca0ad/an_ember_in_the_ashes_book_3_summary.pdf
    • https://90e68d66-75cd-4f9f-aa76-03b1e6b67b4d.filesusr.com/ugd/324cd8_98001438c2af48c69b6c84a6979cecfa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c5b82f38-2f56-4917-9dc9-b4015b074339/can_i_renew_my_driver_license_before_it_expires_california.pdf
    • https://uploads.strikinglycdn.com/files/bbc82d55-d471-43de-8fa2-76c40bc9b03a/5946113651.pdf
    • https://edcb5511-827b-40b0-97c1-3499c313f96b.filesusr.com/ugd/0779a3_77091222f1224b948e1cea2dac26718b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f44e.bin
fb4f633169fae3c28992187dc5ea268887c72f1f89fbe3ab8d96067527ce3ea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF44E 4988 bytes
font_01_sfnt_off00010572.bin
06a504963bb44ef42ae7269dfe73b83a1fc85f5312bb5d00b8df5e6e236ca018		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10572 11308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.