Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c341c45d2622917…

MALICIOUS

PDF

88.7 KB Created: 2021-03-20 17:38:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0eb1346b948ed26a878c8dc38b05b147 SHA-1: af7bb1e652543cc29384edf100f73047116c27d7 SHA-256: 1c341c45d26229171f3f120b2d29ed520c37487f7f8c02677e2b8c87d50d53aa
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier indicating maliciousness. The presence of a 'Clipboard command execution lure' heuristic suggests the document instructs users to copy and paste commands into a shell, a common technique for downloading and executing secondary payloads. The numerous external links, many pointing to PDF files, indicate a potential link farm or distribution mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=chapter+5+medical+terminology+quiz+answers
    • https://cdn.sqhk.co/kigimijexap/dHcjcia/craigslist_denver_jobs.pdf
    • https://cdn.sqhk.co/nizekidido/g6jjP6r/bingo_nights_perth.pdf
    • https://cdn.sqhk.co/favosejo/jjifjfH/animal_sounds_at_night_in_nc.pdf
    • https://static.s123-cdn-static.com/uploads/4484399/normal_5feb1aac2b250.pdf
    • https://cdn-cms.f-static.net/uploads/4467004/normal_601f1c5517f56.pdf
    • https://cdn.sqhk.co/niturunajik/XigHTSi/intracerebral_hemorrhage_guideline_2017.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4269f7c0-59d1-4c59-9afd-2a223d12ef28/vanamukuz.pdf
    • https://uploads.strikinglycdn.com/files/ea1423d5-711b-48d9-a17c-708749ae4667/how_to_use_ge_advantium_oven.pdf
    • https://uploads.strikinglycdn.com/files/22afd9c3-72b9-459c-bdaf-125e519037e2/chaos_theory_splinter_cell_ps2.pdf
    • https://uploads.strikinglycdn.com/files/71e005ec-fd9b-4634-a968-6752cdb1cb38/piwefebun.pdf
    • https://uploads.strikinglycdn.com/files/c3c29702-0349-4fca-8e9a-25d068a0208a/82747175149.pdf
    • https://uploads.strikinglycdn.com/files/26d63b33-f0eb-4f37-b773-613cfd3b03c8/84052045007.pdf
    • https://uploads.strikinglycdn.com/files/8084b9aa-3108-44d7-a637-15f9841e7da9/profusion_heat_ceiling-mounted_electric_garage_heater_reviews.pdf
    • https://uploads.strikinglycdn.com/files/626724f9-28df-4b25-aaa3-c971f81a1a7c/how_to_start_an_online_magazine_in_south_africa.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_7d3ebc783f744076a4a7748b0e9f2cb5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bf4e37c4-4e1f-4f7c-b55d-3ad74afee4ea/gelup.pdf
    • https://357b8bef-7330-4cfe-b31d-389db25c4d5a.filesusr.com/ugd/4c76bf_150507778aa34e75a5ac9ee7e54ee5bb.pdf?index=true
    • https://53ebb62d-ddaf-432f-8dc3-1f4746653467.filesusr.com/ugd/bbd3cf_4d54d710742d47428574de63b4914dbe.pdf?index=true
    • https://97783159-ced7-426e-9fbd-60d2bb3342fb.filesusr.com/ugd/00058f_e63ac0ff609343f3b44f3f589b828b83.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f60657dc-d194-4194-bfac-47196f120416/sobitizos.pdf
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_c067eb7b98b642a185ee81877e5de94c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000112b7.bin
8678461a36318f73caa47be7720532798183d8a18b717e055a12ae2b3be44fb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112B7 1528 bytes
font_01_sfnt_off00011a7e.bin
1ae6bf5c6db404acd3e6694da08a514c1bed85803bd914d4d26edb31d8341322		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A7E 5888 bytes
font_02_sfnt_off00012e70.bin
e55542ca98ff80eb6853623a676c0dc59af1dbfa7f75f657fd51b1d3036525ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E70 11340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.