Malicious PDF — malware analysis report

Static analysis result for SHA-256 1be3c461a61acf60…

MALICIOUS

PDF

139.5 KB Created: 2021-04-07 04:48:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: c0a17bf93d5207b2daab58076383ff9c SHA-1: 9dea950df0fcf9727dd9857f151c3b303d832f14 SHA-256: 1be3c461a61acf60a48a370aff6e213b182c69eca90a8eaefc5a929da8f7e003
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojanized document. It contains a large number of embedded external links, many pointing to S3 buckets and other domains, suggesting a link farm or redirection scheme. The primary URL, 'https://golowaki.ru/123?utm_term=happy+birthday+songs++in+tamil', appears to be part of this lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9624

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=happy+birthday+songs++in+tamil PDF link annotation
    • https://bubipirem.weebly.com/uploads/1/3/6/0/136086135/wiziwanazu.pdfIn PDF document text
    • https://cdn.sqhk.co/taxodisilif/qEhfoia/afterburn_aftershock_film.pdfIn PDF document text
    • https://jorojesa.weebly.com/uploads/1/3/4/8/134861508/xedidebozibumu_xerise_ribubek_xuxip.pdfIn PDF document text
    • https://cdn.sqhk.co/lixejudazeza/ahcjaii/53441518004.pdfIn PDF document text
    • https://cdn.sqhk.co/nowonipewo/gtFjehg/watch_syfy_movies_on_youtube.pdfIn PDF document text
    • https://cdn.sqhk.co/maxabamed/gfxhd5O/biwevapev.pdfIn PDF document text
    • https://cdn.sqhk.co/pulizojiwim/ihXibic/bright_dog_collars.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/libosokune/key_informant_interview_report.pdfIn PDF document text
    • https://s3.amazonaws.com/zizene/dejukufakopagoloje.pdfIn PDF document text
    • https://s3.amazonaws.com/dupula/tailoring_guide_wotlk.pdfIn PDF document text
    • https://s3.amazonaws.com/nagudo/47570784323.pdfIn PDF document text
    • https://s3.amazonaws.com/toguvaju/jesefuwuginimatolavuzafax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d8ba7c3-c0b3-4a88-a3ff-51c86e215970/pirepowimotemizaruzujesa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/120d2443-411f-490c-b1e5-eace1236166d/96479321601.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44005cd5-767d-451e-9c4e-2c223954ca93/27281897176.pdfIn PDF document text
    • https://s3.amazonaws.com/sejakopa/tabla_de_equivalencias_de_unidades_de_medida_fisica.pdfIn PDF document text
    • https://s3.amazonaws.com/paxivogedewilu/30793552057.pdfIn PDF document text
    • https://s3.amazonaws.com/bidivo/85680855080.pdfIn PDF document text
    • https://s3.amazonaws.com/farefasejikap/ansys_aim_19.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fde6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFDE6 14328 bytes
SHA-256: a32c3457c7ef19996330f548f368478d9bde32277661fd4197e243a887c5d38e
font_01_sfnt_off00012ceb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CEB 5576 bytes
SHA-256: 5c7751c599810c9ff695f1246112a4c998d82cf185ce5d5d0daf9c0e1da0e490
font_02_sfnt_off00013fac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FAC 4988 bytes
SHA-256: 6e016cfe4aa0c36b6eb8222481c1d02f96432e9f12cf318cfcde32870cf93483
font_03_sfnt_off00014f68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F68 4796 bytes
SHA-256: bcb1a5cf420280dae82c477d12a169b71680211a3fb64004dd6591c81f0caf64
font_04_sfnt_off0001612b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1612B 5824 bytes
SHA-256: c89805067ab7e8f1712ad859b72790408faef0581f72af7821f5f0d637459634
font_05_sfnt_off000174e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x174E5 7940 bytes
SHA-256: 8041c36a0aeb641150eae0b5d01ab4daaff796d49b7b62d78a0b0c7ae46ccaff
font_06_sfnt_off00018d06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18D06 7452 bytes
SHA-256: 0126625c71114e2940ed706e414ae6a517aa2e3c50307c3a3d706ccd67f352e7
font_07_sfnt_off0001a184.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A184 24644 bytes
SHA-256: ebb0d8a2d17a7dec1c44345a58e15f7c9f94c4dd8818b080b120f37dc328d785
font_08_sfnt_off0001e37b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E37B 22196 bytes
SHA-256: d3960190045283166904e2f14bc6cb8f6b9138f8be3d6522b6e10207b662b42a
font_09_sfnt_off00020c48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x20C48 5016 bytes
SHA-256: 55b55b43899e3a109d55f4591bf137358b23dc525ad66d4e1d18ec35e86ada7b

Open this report in the interactive analyzer, or submit your own file for analysis.