Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ec15d7a62fbee86…

MALICIOUS

PDF

79.6 KB Created: 2021-04-12 00:53:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb3f2879d3ec2717e6bab3617bd5e153 SHA-1: ead1de20f73695e5d8108fcd4387d61fbf43e94f SHA-256: 1ec15d7a62fbee86997ef2bdf7ef38119c58f5a9836c807bb4cc8c088869f17b
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains numerous embedded URLs, with one prominent URL pointing to 'jottigo.ru' and another to 'esparks.ru', suggesting a redirection or download attempt. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a misleading title, reinforcing the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=short+stories+in+english+with+moral
    • http://esparks.ru/castellar_font_free_maccjjxd.pdf
    • https://lurakowufo.weebly.com/uploads/1/3/4/4/134457973/7217369.pdf
    • http://kanshoper.site/83741471060cbv4f.pdf
    • http://rosipale.scienceontheweb.net/luvabitiwavifenusovewi.pdf
    • https://cdn.sqhk.co/mazinatefoso/4CgciC9/asciidoctor-_maven-_plugin_generate.pdf
    • http://eushopvmn.site/how_to_storyboard_an_appfczwg.pdf
    • https://wopegukozawemab.weebly.com/uploads/1/3/4/7/134727928/4b8c1eeb173.pdf
    • https://menegelobeka.weebly.com/uploads/1/3/4/9/134903334/6414120.pdf
    • https://cdn.sqhk.co/gonolesuzam/X262ic4/24345662201.pdf
    • http://avlto.best/best_pressure_washer_surface_cleaner_for_deckso0m4a.pdf
    • https://tasuvuka.weebly.com/uploads/1/3/4/1/134108605/a129754714c5a35.pdf
    • http://bomepufibawil.scienceontheweb.net/hp_deskjet_2544_scan_to_computer.pdf
    • https://tujobofawoti.weebly.com/uploads/1/3/2/6/132695409/kawalugaxed-suxolo-kodojise-lakudu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tijuvewoduga.onlinewebshop.net/circular_motion_notes_class_11.pdf
    • http://zobawukesilebaf.epizy.com/bomodinetemetisuf.pdf
    • https://uploads.strikinglycdn.com/files/af5e9a75-ab93-4659-9043-b60f31946c44/80080841990.pdf
    • https://uploads.strikinglycdn.com/files/f84741fc-6387-4578-85e7-df1ff559c6cd/pezerowovozakagifevoxida.pdf
    • http://kodadus.epizy.com/2016_camaro_2ss_performance_specs.pdf
    • https://uploads.strikinglycdn.com/files/f4987d25-fd38-48c7-83f5-eeec8af37ee8/janenawozajega.pdf
    • http://sujetolus.epizy.com/what_setting_should_a_dehumidifier_be_set_at.pdf
    • http://nujugeteteda.myartsonline.com/medical_instrumentation_john_g_webster.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa88.bin
ae310d7fca8f4010e919580158ad30733120f1a8f6abc02f78a7efa79549d3f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA88 5296 bytes
font_01_sfnt_off00010c6b.bin
e795c7113ea7f6e4d56b2acc75624863ff6aede114e832c39f51c6d41f8a68bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6B 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.