Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c32f9026f0a8f81…

MALICIOUS

PDF

93.6 KB Created: 2021-04-18 11:28:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4f7d838d6fe0d0ac98c2b4416c15353 SHA-1: e3c6ba5815fd28be56a50f20f3046015b420aa07 SHA-256: 1c32f9026f0a8f819a711ac44081d8754c68ebe67be8b16aa9281efe39972e53
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of an SEO spam or phishing campaign. The primary URL, https://vilenefex.ru/strik?utm_term=most+common+german+last+names+forebears, suggests a lure to a website that may host malicious content or phishing forms. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=most+common+german+last+names+forebears
    • https://static.s123-cdn-static.com/uploads/4463554/normal_5fe0d67181fe8.pdf
    • https://cdn-cms.f-static.net/uploads/4500895/normal_605c74e346264.pdf
    • https://lomofatawepap.weebly.com/uploads/1/3/4/5/134599642/1017275.pdf
    • https://xijivokabororix.weebly.com/uploads/1/3/4/8/134879859/gawovo-xitawelopam.pdf
    • https://giravegide.weebly.com/uploads/1/3/2/6/132681237/618169.pdf
    • https://ziropiwos.weebly.com/uploads/1/3/4/3/134311351/6780120.pdf
    • https://cdn-cms.f-static.net/uploads/4369638/normal_5fd3c7922dbfd.pdf
    • https://fexasesari.weebly.com/uploads/1/3/1/0/131070539/zumijanegufu_jagofatitan_berilozodupa_wakurutewivesuk.pdf
    • https://cdn-cms.f-static.net/uploads/4490116/normal_6053d7f4031dc.pdf
    • https://static.s123-cdn-static.com/uploads/4494139/normal_5ffdeaa5db4c7.pdf
    • https://cdn-cms.f-static.net/uploads/4366029/normal_6036c6935684a.pdf
    • https://cdn-cms.f-static.net/uploads/4413122/normal_60339fbdefdf3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_ea9a56d216584901adc05d85bc70fff2.pdf?index=true
    • https://a3de454e-1598-42bb-a259-4eb69c42f179.filesusr.com/ugd/fb5067_39517383538c4bbd9b88d23773bce0ef.pdf?index=true
    • https://s3.amazonaws.com/zidenigad/kajavoponibevijopimin.pdf
    • https://ec451167-49e0-489e-a150-d7dc0ecf9264.filesusr.com/ugd/fe0276_18cde4e8d62345eaa7e1dee19f811089.pdf?index=true
    • https://f7cac2f2-528f-490f-9bef-cb2448a877de.filesusr.com/ugd/529ba0_d6abd7b3dc5545cea892c39b4cd70676.pdf?index=true
    • https://s3.amazonaws.com/fewunadupop/58917168845.pdf
    • https://s3.amazonaws.com/lorerexeg/tanenovozuvepazexelosa.pdf
    • https://4f0754e2-f0c4-47db-826b-83042027646c.filesusr.com/ugd/7a11b0_6b623e81aa554d12b293a5b52c92b39a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00014f87.bin
295584a3a2d0b53c568a7a6edc2fb804385e519ca90e31dcb83dee3b7b291246		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14F87 17272 bytes
font_00_sfnt_off000113a1.bin
627dfbe83ad82c81199eb54ab61b628751dfab74a38021fe63277a731e2b3a0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113A1 5344 bytes
font_01_sfnt_off000125c6.bin
a75f827c1a3e8e51826bdcdceefd929067980c07f6bf7df1b163e6cc061f41e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125C6 13096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.