Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ac263c26d8ecd93…

MALICIOUS

PDF

84.8 KB Created: 2021-03-30 18:56:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f3e4cf63a2ac0f4a09d006f5d76fc1a SHA-1: bb056d51ca006e55d8b2d8f02ab779507b8cbb89 SHA-256: 1ac263c26d8ecd93651b2a68cc8a500fd3acd7522fdd183deb557a54d4f6e448
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, suggesting a link farm or SEO manipulation tactic. One of the extracted URLs, https://leonvi.ru/strik?utm_term=is+percy+poseidon%2527s+favorite+son, is likely part of this malicious infrastructure. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDF documents from web content, which can be abused for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=is+percy+poseidon%2527s+favorite+son
    • https://jabuvevakeg.weebly.com/uploads/1/3/4/6/134685488/1cfb9e9cc127.pdf
    • https://worozimovazez.weebly.com/uploads/1/3/1/4/131406108/d90449.pdf
    • https://suzagadagaxu.weebly.com/uploads/1/3/0/7/130775939/8485540.pdf
    • https://nutajutibasetak.weebly.com/uploads/1/3/4/6/134638930/7129834.pdf
    • http://sutovuresas.mygamesonline.org/68045011707.pdf
    • https://nukanepinax.weebly.com/uploads/1/3/1/4/131454046/5093111.pdf
    • https://cdn-cms.f-static.net/uploads/4390684/normal_602ac1d5a5a37.pdf
    • https://vitovoraf.weebly.com/uploads/1/3/1/1/131164311/zajifotetej.pdf
    • https://cdn-cms.f-static.net/uploads/4488323/normal_5fd89d57e639f.pdf
    • http://tebapewulodafe.getenjoyment.net/zudenixitaranazuf.pdf
    • https://cdn-cms.f-static.net/uploads/4407314/normal_6039fadead530.pdf
    • http://nenegifivujaxu.mypressonline.com/list_of_basic_words.pdf
    • https://rexajubimazon.weebly.com/uploads/1/3/4/8/134884463/tijorosidavi.pdf
    • https://cdn-cms.f-static.net/uploads/4465277/normal_604005bbb602c.pdf
    • https://gumakini.weebly.com/uploads/1/3/1/4/131414358/nuvot-luker-fufudujaxujivu-vosimagedup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zipulosi.atwebpages.com/pimuni.pdf
    • https://uploads.strikinglycdn.com/files/5ed6326b-d49c-4ea2-b646-a889c98074db/23259752274.pdf
    • https://uploads.strikinglycdn.com/files/fc439a85-d53c-4aed-b449-34df92af4965/graphing_quadratic_functions_word_problems_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/623ff623-f660-4e03-94c4-c42c7b687ad0/fit_for_life_gym_raeford_nc.pdf
    • https://uploads.strikinglycdn.com/files/4f1b0617-5c9d-4840-b2dd-6332b16e7976/vajawofivij.pdf
    • https://uploads.strikinglycdn.com/files/9d4ba695-9fad-4ccd-a99f-6535a3bc88e5/linux_programming_environment_book.pdf
    • http://gogujigasad.onlinewebshop.net/motor_vehicle_bill_of_sale_template.pdf
    • https://uploads.strikinglycdn.com/files/17926fb1-9ed7-4952-ac75-0c1af5a703ca/18557191105.pdf
    • https://uploads.strikinglycdn.com/files/01d9b992-058c-4ec4-9ff0-e44bc50d7a8d/quem_no_sabe_para_onde_vai_qualquer_caminho_serve.pdf
    • https://uploads.strikinglycdn.com/files/7abbcff2-886c-48c0-be5b-b912bc42c837/98050393991.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010e95.bin
9a98d9edb8984661542f2c821a2d3361e154a541b3852baa394bf16c4cfd1567		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E95 5252 bytes
font_01_sfnt_off00012097.bin
3bc2ec363afd335f432c110a412c2069c93605d3b4439848eca4090d065da8f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12097 11028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.