Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a3c5e8f0c1609cc…

MALICIOUS

PDF

76.5 KB Created: 2021-05-25 14:54:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5cadb031408500fc82cd39c4a6c3efe SHA-1: 22b496653506c4ebd62bb8d53b5ecee67870665c SHA-256: 1a3c5e8f0c1609cc0974dbd62c0b0b98cde4123f16d41ea58a0b5b60cda2680c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one specifically pointing to a URL that appears to be a search result for educational materials, suggesting a lure. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, many of which are likely malicious or part of a link farm designed to obscure malicious intent. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing or trojan variant.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wb?keyword=prachi%20maths%20book%20class%206%20solutions%20pdf%20download
    • https://cdn-cms.f-static.net/uploads/4405639/normal_600fbfbe938af.pdf
    • https://cdn-cms.f-static.net/uploads/4370746/normal_5fd638c03cd30.pdf
    • https://pefoduzipim.weebly.com/uploads/1/3/4/3/134371740/3cc6212ad47da.pdf
    • https://static.s123-cdn-static.com/uploads/4489414/normal_5fcf5e1201215.pdf
    • https://fujimerikav.weebly.com/uploads/1/3/4/3/134307110/eefc2be.pdf
    • https://zolegezuboz.weebly.com/uploads/1/3/4/4/134462972/9a913ff4b9396.pdf
    • https://vobulesije.weebly.com/uploads/1/3/1/8/131857334/b00f26.pdf
    • https://wogaxorabamogak.weebly.com/uploads/1/3/4/4/134400234/1f133.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/342cbda9-3b3f-4838-80f3-766daa241bd2/faxozafetoroxelubewevor.pdf
    • https://uploads.strikinglycdn.com/files/475d8c84-09ac-457e-bb07-6d65f421ea0f/franz_kafka_quotes_meaning.pdf
    • https://uploads.strikinglycdn.com/files/e48e816d-f806-4e1f-869c-066b204c914c/vozafuzifux.pdf
    • https://uploads.strikinglycdn.com/files/7bd3465b-b536-4a20-9c34-02215f21a30c/echo_pas_225_oil_ratio.pdf
    • https://uploads.strikinglycdn.com/files/bd2e6777-5ee1-4aeb-9bc1-c2189fb4baa7/fifonokituto.pdf
    • https://uploads.strikinglycdn.com/files/54410a03-30c4-4533-a982-b05f7f29198e/dexawodumurusalubadod.pdf
    • https://uploads.strikinglycdn.com/files/eb5ab2df-fb93-4402-b42a-31bb61dc311d/bukomisogatu.pdf
    • https://uploads.strikinglycdn.com/files/9c734d02-36f2-4348-b690-2a4c4e474be6/tujijokapuvod.pdf
    • https://uploads.strikinglycdn.com/files/eccbb120-2d25-449a-a619-28d8aefe493f/25568667162.pdf
    • https://uploads.strikinglycdn.com/files/cdb927cd-cc34-4c20-9ce3-1bbc0048fe2c/11545742381.pdf
    • https://uploads.strikinglycdn.com/files/f9a588b1-89cd-44b0-b6e7-41c91d02ea89/what_are_the_characteristics_of_negative_correlation_look_like.pdf
    • https://uploads.strikinglycdn.com/files/d4d58a6a-d882-476e-a0c6-d3942be58022/77176767080.pdf
    • https://uploads.strikinglycdn.com/files/96e66fc6-77ff-4136-96f1-d097b22f8557/what_is_child_centered_approach.pdf
    • https://uploads.strikinglycdn.com/files/0054c682-19f7-4dc6-9918-bb90df86c4af/le_petit_nicolas_youtube_dessin_anim.pdf
    • https://uploads.strikinglycdn.com/files/a6984d21-2496-440d-baeb-c0d57407c7fd/how_to_unlock_sentry_safe_code.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed2f.bin
faa471d93459d49eda0cd78bc6e36475e082097a1a654fa0959929bbc6038f8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED2F 5848 bytes
font_01_sfnt_off000100f5.bin
89289c1353fa5a3ed1de3a4f4dde3b8b8266f89c6b989e653d63b2c81dcd118d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F5 10312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.