Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d468b0ec0d602e4…

MALICIOUS

PDF

86.8 KB Created: 2021-04-06 07:09:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a72899278093130b0dfabdb37c7dd68d SHA-1: d5ff3bcb1744db2b1e22e78326423bb881d2e530 SHA-256: 1d468b0ec0d602e4a7df6e497e55c5e3f6c6f225688cec6a415e44498ea85695
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to SEO-optimized content, suggesting a link farm designed to attract traffic. One prominent URL, 'https://pelibifir.ru/wix?keyword=scunci+steamer+manual+pdf', is directly associated with the document's apparent purpose of luring users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. No scripts were extracted, but the PDF structure and heuristics indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=scunci+steamer+manual+pdf
    • https://cdn-cms.f-static.net/uploads/4382974/normal_606b90fed20d0.pdf
    • https://static.s123-cdn-static.com/uploads/4367290/normal_6002b90625664.pdf
    • https://cdn-cms.f-static.net/uploads/4487927/normal_6033e33cba30f.pdf
    • https://cdn-cms.f-static.net/uploads/4422135/normal_60333aa4d916a.pdf
    • https://cdn-cms.f-static.net/uploads/4418379/normal_6020fa4dd8b56.pdf
    • https://cdn-cms.f-static.net/uploads/4477386/normal_602e00b4743d2.pdf
    • https://static.s123-cdn-static.com/uploads/4392857/normal_5fc89e85615fa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/senodiw/esl_progress_report_card_comments.pdf
    • https://b86313a8-447b-404d-ae6d-bc69740d899e.filesusr.com/ugd/e54fc7_ae97ecb549ed47fa8a1b0e37ec51634f.pdf?index=true
    • https://s3.amazonaws.com/jivuxo/paxumimuvutoxed.pdf
    • https://s3.amazonaws.com/zoxewudunigus/47854742602.pdf
    • https://s3.amazonaws.com/sogovekevi/why_is_my_lg_refrigerator_not_dispensing_water.pdf
    • https://uploads.strikinglycdn.com/files/40b91cbf-0dba-4497-ae54-d47a35fee5de/google_chrome_delete_search_bar_history.pdf
    • https://uploads.strikinglycdn.com/files/3faa054f-d4b2-46b3-ac26-c42997283ca0/92289927054.pdf
    • https://s3.amazonaws.com/lixasifasi/avatar_the_legend_of_aang_comics.pdf
    • https://s3.amazonaws.com/wutezigojuxi/fatima_gul_song.pdf
    • https://2ffa788b-df2f-461f-b9c5-573bec542745.filesusr.com/ugd/374ce0_15eba65a9fbd4a8b87d0a9f1945d16b2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2cb3ca9d-79a3-4607-9f4d-71e4f2b68df2/506514772.pdf
    • https://uploads.strikinglycdn.com/files/162a42ab-4498-412a-bb88-dbd7a45fce56/84868272474.pdf
    • https://s3.amazonaws.com/wefemabeni/37698469252.pdf
    • https://s3.amazonaws.com/juzowilipi/muzutupi.pdf
    • https://7e70056c-c2aa-4e53-98c5-50750123c107.filesusr.com/ugd/f8ae5d_eb154aef7853425abd5ca4f28128df82.pdf?index=true
    • https://s3.amazonaws.com/bezorito/album_chungha_blooming_blue.pdf
    • https://ac734925-007a-49fa-9a6b-2340142042ec.filesusr.com/ugd/ea78e0_d26bf3c20e154218baeb2e7e0b0d768f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ddb3a4ec-fd01-4944-b290-506371d0c474/what_lens_best_for_portrait_photography.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa8e.bin
ed2b0179ac4e2054e41f1f77acd9a1bc90466d868098e1e217c206c416fb6ace		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA8E 5404 bytes
font_01_sfnt_off00010cd9.bin
8ffb5539a271f8561fbdb2e425c2afdc468f59ec11076d4b1beb76102d4f6155		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD9 11360 bytes
font_02_sfnt_off000133bd.bin
61a1aebdef4a972455aa54311bdd76e8b1514aee3781bb94213c4364d7a54fa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133BD 17912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.