Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f56b8b599d50c4c…

MALICIOUS

PDF

76.3 KB Created: 2021-03-28 21:35:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0620e5b9c02ee01224de8bbc00d2e095 SHA-1: deda184837c20aa9fd702abea6c22929f88801c7 SHA-256: 1f56b8b599d50c4c89d6f9edde6ea851625287448d7a7e17c5edb21a88caa89d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external links, suggesting a link farm or redirection mechanism to malicious sites. The document body, though partially garbled, contains a URL related to hair care, which is likely a lure to disguise the malicious intent of directing users to potentially harmful external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=para+que+sirve+el+jabon+de+azufre+en+el+cabello
    • https://cdn.sqhk.co/jezaziritav/Qgdt9eL/bigoxi.pdf
    • https://pogerukafitili.weebly.com/uploads/1/3/1/4/131437037/tiwotonimowas_sutovesovapa.pdf
    • https://kutepazibug.weebly.com/uploads/1/3/4/4/134477769/tefawenagum_gomabemevav.pdf
    • https://cdn.sqhk.co/lepavenujal/3fDgitJ/94141963142.pdf
    • https://cdn.sqhk.co/luwojafewu/hgWgchj/dialogflow_google_sheet.pdf
    • https://cdn.sqhk.co/pilozarager/iibAgfK/download_demise_of_nations_mod_apk.pdf
    • https://mekasirizi.weebly.com/uploads/1/3/5/3/135325166/9240622.pdf
    • https://loponulofaxoli.weebly.com/uploads/1/3/4/3/134324484/9d17b6048193.pdf
    • https://cdn.sqhk.co/fudikuzi/6wL0d0H/pisoxenekijejemedu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://995be609-08d3-41b1-a6c0-90e53670bcec.filesusr.com/ugd/9988e1_7db7c4bbefbb4e9dbf36bf3da59dc26c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/75dd4a67-140a-46d0-8d8f-e4e222fb567d/zupefoxufata.pdf
    • https://uploads.strikinglycdn.com/files/946e2caa-ab50-4a10-be81-e7e0e8b89744/navy_instructor_evaluation_sheet.pdf
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_06abb04ff6fc49ca807919dcf5531d7f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eeb1c6c9-ef50-4f3c-8aba-d94b05206237/free_download_gimp_photoshop_software.pdf
    • https://uploads.strikinglycdn.com/files/ba24d029-f5b9-4350-8708-9076919f0007/life_skills_training_for_adults_with_disabilities.pdf
    • https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_b0a2ef585f1646f9a24f88a59f3fa481.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_1ce0b91c143d407699f732234b6fbf2a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1a4ffa2d-55cc-4b95-8680-11e637644eb7/rival_ice_cream_maker_gc8151.pdf
    • https://387a498e-9551-4239-9507-3183ba214552.filesusr.com/ugd/cd403b_ca1196b2a144409985620c160afae4d6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3e8d46fc-87d2-4f16-986a-1b491ac3ffc0/90589488611.pdf
    • https://uploads.strikinglycdn.com/files/ff90ffb8-91a3-4596-bc68-73c7cade05fd/tdk_bluetooth_speaker_manual.pdf
    • https://ac614e2c-2e00-43e4-a80f-2c6bce9fb64b.filesusr.com/ugd/f103bb_9414ea244d334a71b94df76ae7811071.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e82d.bin
c9ee3c5ec326dd3bc76f99d1f875a2e1e8d24dc32c992d6df9a5ac75ff414567		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE82D 5468 bytes
font_01_sfnt_off0000fae6.bin
8204b017f5cebb8343dfd738cab4f7905d5865cd35888a2a40885f86adebb8f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAE6 11936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.