Malicious PDF — malware analysis report

Static analysis result for SHA-256 18456d73a239fda1…

MALICIOUS

PDF

74.6 KB Created: 2021-03-31 07:33:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8c501de3b133231dbff3becee14e5b6 SHA-1: 907f01a8b913711f2d804232246ca8c9da35e69b SHA-256: 18456d73a239fda16dbdb1f54200e08b28a4ba239251a64f2cb87332ee67027b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or malware distribution lure, as indicated by the ML classifier and ClamAV detection. It contains a large number of external links, many of which are likely part of a link farm designed to improve search engine rankings for deceptive content. The primary malicious URL identified is jumiwimov.ru, which is presented as a resource for downloading sound drivers. While no scripts were explicitly extracted, the PDF structure and numerous embedded URLs suggest an attempt to redirect users to malicious sites, potentially for further payload delivery or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=how+to+download+sound+driver+for+windows+10
    • http://zivemigidefis.mypressonline.com/23774257281.pdf
    • https://fifitedogij.weebly.com/uploads/1/3/4/7/134747960/dokevudaxuwizol-xetifetixanagev-fekagakut.pdf
    • http://balifruit.com/division_worksheets_grade_4_free80qzb.pdf
    • http://defokozixeral.sportsontheweb.net/cambio_climatico_concepto.pdf
    • https://xedowekogo.weebly.com/uploads/1/3/4/6/134609622/rojazek.pdf
    • http://bixaxivajujojar.mypressonline.com/brihaspati_kavacham.pdf
    • http://help-verification.com/redasilezakafavaligi9vg3j.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/eb244dc8-73db-4d24-9b03-a80a58208f80/85418454588.pdf
    • https://uploads.strikinglycdn.com/files/0a0c5b0f-5a31-43e8-924c-069d7089b888/gemirukutitinudotiv.pdf
    • https://b0cee159-9ce3-47d2-9452-de9e383f1b6b.filesusr.com/ugd/fac5c7_f32de8246e3f4f9383a2c5d8d80c632a.pdf?index=true
    • https://51da6a7d-ee05-4a49-87ee-1b74af3aeb07.filesusr.com/ugd/b80405_988bd7970e114ad4b660e62c5dfb7dd6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b3363640-fe4b-40bf-90e9-8f77894d5a7a/ipod_nano_2nd_generation_factory_reset.pdf
    • https://uploads.strikinglycdn.com/files/0a517980-3ad8-47b6-b8bf-c07c0573f2b2/63255444459.pdf
    • https://uploads.strikinglycdn.com/files/355ec2a0-6d0d-4ded-8bb5-d736bf6dda9c/warcraft_3_reign_of_chaos_game_key.pdf
    • https://0c43c058-97b3-435a-b041-a9f001bfa883.filesusr.com/ugd/791d74_248bec63e77546d6b302fe726965c5f0.pdf?index=true
    • https://d6b7b3c7-8429-4d82-9d75-5d5d09e763cc.filesusr.com/ugd/a8c229_151f6bc378c24bd4b401a36f8df56de6.pdf?index=true
    • https://e824aeac-d22a-4b45-bb3c-17051d6ee04f.filesusr.com/ugd/de60da_8acfa27dc6544946b498015ff5f98ed4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bcd78471-b455-4653-81ad-a63c3f3b36e4/28918293633.pdf
    • http://bifiwapaz.onlinewebshop.net/87990227178.pdf
    • https://uploads.strikinglycdn.com/files/da969b66-2f3c-4425-9314-f4c8c5621231/fokiwexemunote.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e811.bin
6b7403b25720e47a9ae0b4d9a420355e2d369d12fa09ec4475544eefa10283dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE811 5208 bytes
font_01_sfnt_off0000f9f1.bin
3767a011bcc7b056e77aa31f9ee61a9324f2c8211178aae01ac43f5d5ba9c677		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9F1 10380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.