Malicious PDF — malware analysis report

Static analysis result for SHA-256 16f933a00bbaecb5…

MALICIOUS

PDF

66.9 KB Created: 2021-04-03 22:51:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 391c41e41385c722395f52727062ca6c SHA-1: 7dd57131dd49efab36dea3257dd765e75c6d8e53 SHA-256: 16f933a00bbaecb56a806f206061f8b2e3d037f4895150edcc98ba4a19ec0f7a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains numerous external links, with one heuristic indicating a potential link farm designed for SEO manipulation. The document body, though heavily obfuscated, suggests a lure related to an English literature reader, likely to trick users into clicking malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=interact+in+english+literature+reader+class+9+pdf
    • http://soldatskaya6.ru/betofoxefapubasanp5y9z.pdf
    • https://cdn.sqhk.co/rumoligodo/jc39Ajd/92478059316.pdf
    • http://miwukewemiko.22web.org/fudarorasaxuxinake.pdf
    • http://ritual-venki.online/will_exercising_30_minutes_a_daytcwyf.pdf
    • http://pozesex.iblogger.org/palitotapozijil.pdf
    • https://wikoxunorature.weebly.com/uploads/1/3/5/9/135968981/8677630.pdf
    • https://cdn.sqhk.co/govulasem/Rvhgd5B/87760389254.pdf
    • http://toxipoxekej.medianewsonline.com/mckesson_employees_federal_credit_union_phone_number.pdf
    • http://vawagizipul.iblogger.org/konsep_ketuhanan_dalam_agama_buddha.pdf
    • http://fogejebimo.scienceontheweb.net/salabidujofunolegezen.pdf
    • https://cdn.sqhk.co/zudilubal/jbRjhau/increase_permgen_space_in_tomcat.pdf
    • https://karujuxu.weebly.com/uploads/1/3/4/7/134717714/suxoza.pdf
    • https://tojoniwov.weebly.com/uploads/1/3/4/6/134602819/koligazitetof.pdf
    • https://zimavilagapiwe.weebly.com/uploads/1/3/2/7/132712623/xinikajez_reguxegejidilew.pdf
    • https://bapefakujina.weebly.com/uploads/1/3/4/4/134483882/bemulabexepo_tujimuxapiludo_lusisetonodon.pdf
    • http://rilotelexewobos.iblogger.org/tefal_pressure_cooker_soup_recipes.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e809654a-a95b-4dbc-a338-24085255a2f8.filesusr.com/ugd/1b6cec_32952ad4d33e46eaba131d55a3c8a8ef.pdf?index=true
    • https://0a3c8164-ddd9-4522-8472-457ce31ece15.filesusr.com/ugd/d32f78_984ebdef6fcf4596ab8c60f41636f0fa.pdf?index=true
    • https://383fd46b-cc41-47b7-9379-19c19d7bb1fe.filesusr.com/ugd/81c43a_8516c4babaa2412bae16e270d254e9f5.pdf?index=true
    • http://zokepufa.epizy.com/libro_de_cantos_catolicos_para_difuntos.pdf
    • https://72dfff08-f6cb-4f5d-aaac-ebe71175d6a6.filesusr.com/ugd/c268f7_452dea2b98ea4e9eb47bb644a7049711.pdf?index=true
    • https://db6a684c-bd73-4a61-997a-17040cc1d896.filesusr.com/ugd/bbbb20_8d3a0adaa426470b8d84917f68ce7740.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c5e4.bin
3dfb7adc234467189987586ff97e4bd3ef902d3a32c64ed31c0526f052e731b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5E4 5508 bytes
font_01_sfnt_off0000d88f.bin
5f8a98e9fd54c1fd70d6ac1063c908ed1840b3faca548453c0a9da4404e89b60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD88F 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.