Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cbae1766359954d…

MALICIOUS

PDF

91.6 KB Created: 2021-03-21 05:17:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad5a2891f6d813defff0cd45614f0cb8 SHA-1: 6c99d77ac83b2f9bc61b02b6937f9d89f730ff91 SHA-256: 1cbae1766359954df8211069a6407758fb2316a7ccd2189c70b52d06d08404e1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and exhibits characteristics of a PDF link farm. It contains numerous external URIs, with a primary one pointing to a URL that appears to be part of a keyword-driven content farm. The PDF structure also indicates it's designed to host a large number of external links, likely to facilitate phishing or distribute further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=studying+the+8+prayer+watches+of+the+bible
    • https://vevotudoxis.weebly.com/uploads/1/3/5/3/135313682/83d7319.pdf
    • http://excellent-spb.ru/76335785934023t2.pdf
    • http://tameenegypt.com/excel_vba_programming_tutorial_for_beginnersa5u8z.pdf
    • https://kiniwotonupit.weebly.com/uploads/1/3/0/7/130776343/juxebivubizuket_gamojoke.pdf
    • https://wururozudarorar.weebly.com/uploads/1/3/1/3/131380521/973651.pdf
    • https://cdn.sqhk.co/ranotigu/LjGzihl/viwemajuti.pdf
    • https://vopupina.weebly.com/uploads/1/3/1/0/131070761/5576384.pdf
    • https://sazimopugis.weebly.com/uploads/1/3/4/6/134611647/pitewosibuxixaz-rusiworejeru-xoregoleke.pdf
    • http://sluzhba1.net/percy_jackson_film_streaming_3r3ka3.pdf
    • https://cdn.sqhk.co/bitaxukezor/gi69zjj/flexeril_and_alcohol_withdrawal.pdf
    • https://fabupegux.weebly.com/uploads/1/3/4/6/134689396/dogupusereroj.pdf
    • http://klokisik.space/act_bubble_sheet_2020kglha.pdf
    • http://nikaold.site/how_long_do_you_microwave_a_medium_size_sweet_potato39ua7.pdf
    • https://kedadatiwuji.weebly.com/uploads/1/3/4/8/134891749/jesokogututan.pdf
    • https://cdn.sqhk.co/bibilofefi/NhgghsR/39122683599.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/9e35799c-5921-47e7-8ff0-7e4084365264/9322147334.pdf
    • https://uploads.strikinglycdn.com/files/ec693727-aaf2-4df9-8661-442e39feb418/39795954669.pdf
    • https://uploads.strikinglycdn.com/files/d622dc7d-429a-4e3c-9018-5197d557136d/what_is_meant_by_reimbursable_expenses.pdf
    • https://uploads.strikinglycdn.com/files/b1ea9be0-8aa7-40d7-b9af-3a9368ffb709/runosanopumivegewagon.pdf
    • https://uploads.strikinglycdn.com/files/d5c58ab1-938d-4735-a2b7-145e361f7f2e/46314981743.pdf
    • https://uploads.strikinglycdn.com/files/cf89e310-dee5-409f-90d5-97f7587ef94d/guwanog.pdf
    • https://uploads.strikinglycdn.com/files/0e4b0171-6246-4e62-8c8b-09be7414d2d8/are_kenmore_washer_dryers_good.pdf
    • https://uploads.strikinglycdn.com/files/3755fe4e-0dd0-4de4-9949-e59b2cc45727/sbi_clerk_exam_solved_question_papers_with_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ad8.bin
7f0ab8e15486b3d60e8c322eb5302ede81790579538c7157e24a8441a6fad926		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AD8 5928 bytes
font_01_sfnt_off00012f03.bin
72c6c28708464e235c22a60bee36ecbe20f2a74daeeee559c3e03094061618c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F03 10496 bytes
font_02_sfnt_off000152d3.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152D3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.