Malicious PDF — malware analysis report

Static analysis result for SHA-256 150dc408d1b5e079…

MALICIOUS

PDF

75.2 KB Created: 2021-04-15 07:48:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bb90e85efa39441a2e5a16e053c11fa SHA-1: 2ee7958009918bb326365c801d50fec1df7c2cc3 SHA-256: 150dc408d1b5e079d9fdddcd6e4cb19353d10d3d36a9b531b72a0f9d02aad18e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm and is flagged by ClamAV as a phishing trojan. The embedded URL `https://maypoin.ru/strik?utm_term=how+to+tow+a+ford+ranger+4x4` suggests a lure to a malicious site. Although no scripts were explicitly extracted, the PDF structure and the presence of external links indicate an attempt to redirect the user to a potentially harmful resource, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=how+to+tow+a+ford+ranger+4x4
    • https://cdn.sqhk.co/kuniremolu/ie0vAkh/43978150853.pdf
    • https://cdn.sqhk.co/bisidilit/hhjibih/reigns_game_of_thrones_switch_metacritic.pdf
    • https://cdn.sqhk.co/lixejudazeza/Tsei4ob/turitabeguwedojotililegop.pdf
    • http://berasowugixo.mywebcommunity.org/lebep.pdf
    • https://cdn.sqhk.co/gutejalajige/Ugfhaov/xidobipovusovoteminu.pdf
    • https://cdn.sqhk.co/waduzebata/j3Qjfhc/chronic_hyponatremia_treatment_guidelines.pdf
    • http://patajafurep.mywebcommunity.org/denitixelumibozogaj.pdf
    • http://forisawidokomor.sportsontheweb.net/tesda_bookkeeping_reviewer.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zusevamasor/simuzugoti.pdf
    • https://uploads.strikinglycdn.com/files/5e6a437c-5fb3-4573-909d-4b3fdc0974be/ion_block_rocker_plus_battery.pdf
    • https://s3.amazonaws.com/zasepo/turnigy_9xr_firmware_update.pdf
    • https://13fad4bf-7224-44b3-802b-16842e97d241.filesusr.com/ugd/b14664_caeeaabbe0144560803f9b17f9826132.pdf?index=true
    • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_9d7cc7bd8b5f4acc9fb3654816c17143.pdf?index=true
    • https://uploads.strikinglycdn.com/files/90df7e55-e11d-496f-8450-430bc1d80d2a/12932611701.pdf
    • https://uploads.strikinglycdn.com/files/dbb87433-f2d4-4a49-be62-9083ff4a1be0/34897124041.pdf
    • https://11484d69-1612-41b9-9199-165df1f08223.filesusr.com/ugd/e2f197_9f78e4575cd047778f20a504208687e1.pdf?index=true
    • https://s3.amazonaws.com/tidigudetefumof/nakawubasekijebe.pdf
    • https://uploads.strikinglycdn.com/files/e0ca05bd-567f-4066-b72d-7fd9673a14a6/robinhood_app_customer_service_phone_number.pdf
    • https://uploads.strikinglycdn.com/files/2a3ee5bf-517c-4e12-82e5-a403ab20ec95/40775437078.pdf
    • https://56076a71-1b70-41e8-afe1-d547c394b4ee.filesusr.com/ugd/ab0d05_90c1b7a3b7054b1a913a66f297dc14ae.pdf?index=true
    • https://s3.amazonaws.com/legipalofi/50981231416.pdf
    • https://uploads.strikinglycdn.com/files/472769ca-bccf-4156-8308-99b6879dae1b/jalik.pdf
    • https://uploads.strikinglycdn.com/files/acdd22c7-04a7-4933-8d37-c1ae6834764b/soccer_practice_plans_for_8_year_olds.pdf
    • https://s3.amazonaws.com/peveziwoguxuzam/fabofilizogozifanapomitat.pdf
    • https://uploads.strikinglycdn.com/files/2b9051ad-b284-42ce-aa6a-b21f24743fc5/what_types_of_intermolecular_forces_are_present_in_dimethyl_ether.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e934.bin
8256187cad4953d4c7f033459fad45316fa81c1e88b7324c5892882e9570e684		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE934 5076 bytes
font_01_sfnt_off0000faa5.bin
8b261da716621ab31d0afc9ee8e550986fdb7f8ffb3b2ca2ffa47a2ac96c1ff1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA5 10796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.