Malicious PDF — malware analysis report

Static analysis result for SHA-256 15ca593c43fe1349…

MALICIOUS

PDF

85.4 KB Created: 2021-05-29 08:14:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 021293b4d1a1536410305473bc750a6e SHA-1: b26033f51c9b019cc78bb5ccfdbfbb9113fd1c04 SHA-256: 15ca593c43fe13499c46ced0f9b32c4f73ce1e253752ff4bef9968ec6f913f25
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, flagged as a 'PDF_SEO_LINK_FARM', suggesting a malicious intent to redirect users to potentially harmful sites. ClamAV detection and ML classification confirm its malicious nature, identifying it as 'Pdf.Phishing.Trojan'. The embedded URLs are likely used to host phishing content or download further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=ark+100+imprint+giga
    • https://cdn-cms.f-static.net/uploads/4472182/normal_60691486d35f1.pdf
    • https://cdn-cms.f-static.net/uploads/4385417/normal_603ab6ae23fd3.pdf
    • https://cdn-cms.f-static.net/uploads/4484605/normal_606e4064dc3af.pdf
    • https://cdn-cms.f-static.net/uploads/4475999/normal_60468c273fd66.pdf
    • https://wimukesogizat.weebly.com/uploads/1/3/4/6/134639197/79bfd3be02a0b.pdf
    • https://vesedosaripiwuj.weebly.com/uploads/1/3/1/6/131636692/28510c7b9.pdf
    • https://jomunibudax.weebly.com/uploads/1/3/4/3/134342604/rixuzuwoxeza_zewado_wezew_norunutikekedex.pdf
    • https://cdn-cms.f-static.net/uploads/4427079/normal_5fda615ad51ad.pdf
    • https://maraliva.weebly.com/uploads/1/3/2/7/132712127/mijujinitav.pdf
    • https://cdn-cms.f-static.net/uploads/4459025/normal_604ec15a455af.pdf
    • https://cdn-cms.f-static.net/uploads/4450907/normal_60464841e389f.pdf
    • https://static.s123-cdn-static.com/uploads/4450746/normal_5fe4cad57c6b9.pdf
    • https://static.s123-cdn-static.com/uploads/4449424/normal_5ff3d271b1837.pdf
    • https://static.s123-cdn-static.com/uploads/4475391/normal_5fcd710d89a56.pdf
    • https://cdn-cms.f-static.net/uploads/4471514/normal_601d00e295943.pdf
    • https://static.s123-cdn-static.com/uploads/4365570/normal_5feb8e83832f0.pdf
    • https://cdn-cms.f-static.net/uploads/4379219/normal_5fd7d702700f2.pdf
    • https://kigilepoda.weebly.com/uploads/1/3/4/9/134901239/ed970f0a4bb347.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/5618e7af-ebf7-48a4-92ba-38d424af8770/back_to_eden_documentary_netflix.pdf
    • https://uploads.strikinglycdn.com/files/ae2c6599-694e-450a-872d-6dfdf087f5fa/redopegerowugoki.pdf
    • https://uploads.strikinglycdn.com/files/f4fe49d4-00c8-42b2-ba9f-84f49278e951/netgear_prosafe_jgs524e_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecd3.bin
16f04b9e13dfd62799dae31ea5cba165b1221d6a67c7f4623c1d74eb173e6df0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECD3 4736 bytes
font_01_sfnt_off0000fcc0.bin
cc11b65703c7569757e9e068690b2b25eca2ea51c0d8de425e552b130ce7cafb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC0 10908 bytes
font_02_sfnt_off00012210.bin
db8bfead7e7ba4badf29cbe14cd7a6af14740a2d1d8aa340fa4c53ce4a697760		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12210 16764 bytes
font_03_sfnt_off00013982.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13982 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.