Malicious PDF — malware analysis report

Static analysis result for SHA-256 196501c4ee8b51d2…

MALICIOUS

PDF

81.4 KB Created: 2021-03-14 23:19:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 771903a8b1991e52f40483e7f36870a7 SHA-1: 740c9273c4e7b7756cb29f0abd0b0f6d0f77a365 SHA-256: 196501c4ee8b51d2e7460e43865d352a6d10a0a9d1f7e2688180d6fc12280571
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to a link farm designed to host other PDF documents. One of the primary external links, 'https://xezojetit.ru/strik?utm_term=how+do+you+calculate+currency+exchange+rates', suggests a lure related to financial topics. The presence of a large number of external links and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicate a malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the PDF structure itself is used to host and link to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=how+do+you+calculate+currency+exchange+rates
    • http://usacarins.com/nivel_de_prevencion_primaria_definicion1sgkm.pdf
    • https://cdn-cms.f-static.net/uploads/4412388/normal_6018d27c955c5.pdf
    • http://smartbright.club/face_mask_pattern_around_head_elasticcay42.pdf
    • https://static.s123-cdn-static.com/uploads/4381546/normal_5fc70b4ec0778.pdf
    • https://cdn-cms.f-static.net/uploads/4385434/normal_603a067d4f87c.pdf
    • https://cdn-cms.f-static.net/uploads/4428062/normal_5fe6e8ba8281d.pdf
    • http://kapusta.pro/how_to_measure_blood_pressure_using_omronh1169.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zarusegibitumet/jewupakodakupuk.pdf
    • https://920f4c01-5fd6-4c40-8b27-b99972fecb60.filesusr.com/ugd/d63aaf_9fb16697be8e4850b6a1d082a3161a02.pdf?index=true
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_c1122377bdb944fcbc1fffd3a9ce4fc6.pdf?index=true
    • https://288c7b4b-0494-48f6-8ee2-9dd519b96b0a.filesusr.com/ugd/a107db_5554a5eabb6b44b5a4f951a7f23e2ded.pdf?index=true
    • https://d99d9bf7-a5e0-49f2-90ac-0d1bc881463d.filesusr.com/ugd/0182ef_52c4692a0f7d47da89218d6b70c4ef1f.pdf?index=true
    • https://551f0ad2-75d1-4009-b90b-2f3e3e20230b.filesusr.com/ugd/c2bf0a_7aa8f524d54749f48733a27e6445bae0.pdf?index=true
    • https://s3.amazonaws.com/xifabilejilab/nitoparawuvufuv.pdf
    • https://uploads.strikinglycdn.com/files/9018131d-0c2f-4d91-8f9a-7606a6f3092a/how_to_oral_presentation_ideas.pdf
    • https://920f4c01-5fd6-4c40-8b27-b99972fecb60.filesusr.com/ugd/d63aaf_73a22bf09c7f4a2796da5c418405c1e8.pdf?index=true
    • https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_ff6e80945aae4de1a1803f71d1f91264.pdf?index=true
    • https://507f79ed-2408-4027-b124-45ed49bded7d.filesusr.com/ugd/2de61b_abeaef0d256a4ed8bc9410025b893bc2.pdf?index=true
    • https://s3.amazonaws.com/fumiposamisur/2019_tamil_movies_tamilrockers._co.pdf
    • https://1d812fcc-cfc3-4558-a870-56fc5b7f4c2e.filesusr.com/ugd/754d94_95707805f46b428c89da16f622e61ae0.pdf?index=true
    • https://8569cc17-8b2a-4187-ace0-95b0550b99f0.filesusr.com/ugd/d6eede_3e7a726cb4144c0d93144d08916687ac.pdf?index=true
    • https://uploads.strikinglycdn.com/files/35ff8e2e-031f-4259-9c01-3dc971732967/45708164514.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fed8.bin
469a0c5364e90fb68eff4b42048ccf3bb82ee72a2a6441debb1cecb462d97c99		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED8 5424 bytes
font_01_sfnt_off0001115c.bin
f298efcad02b6454214fe43ea8016bcd8b6208b69dc43d33c5998a704e096548		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1115C 11240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.