Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fa1666dacea05c0…

MALICIOUS

PDF

81.1 KB Created: 2021-03-25 11:58:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e74d3138a7765522e3ee9f645cd9a815 SHA-1: 259ac3ac6f8bad5b143b0efd56cf3868ea3cf756 SHA-256: 1fa1666dacea05c0b6d791057484da60aade21a57b495b0f299cea6bc85751b2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, including one that appears to be a lure for 'hookah bar hd 1080p video song'. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, suggesting a spam or phishing campaign. ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely involving the distribution of further malicious content or phishing attempts via the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=hookah+bar+hd+1080p+video+song
    • https://cdn.sqhk.co/xusarukave/d2uVwij/53238284866.pdf
    • https://cdn.sqhk.co/zozusexub/xhapFhg/barbeque_chicken_recipe_stove.pdf
    • https://cdn.sqhk.co/wovupeni/cgezjgd/51664137184.pdf
    • http://fruct.space/23979398780z4n0o.pdf
    • https://cdn.sqhk.co/janonaset/ZDHijQt/twisted_metal_3_primeval.pdf
    • http://arendaavto.taxi/31121514172urlep.pdf
    • http://ujjjrrrrr.space/bozanerebefid87wx.pdf
    • https://cdn.sqhk.co/suwuwewazaka/eazGAjj/jebefupesosawo.pdf
    • https://cdn.sqhk.co/moturalogupe/cRjbhha/58102098250.pdf
    • http://bit7.top/turbochef_oven_spare_partsmzadh.pdf
    • https://cdn-cms.f-static.net/uploads/4483604/normal_6030f5e5acb8f.pdf
    • https://cdn.sqhk.co/sipebesoxu/CbT1ghp/everfi_module_5_credit_scores_answers.pdf
    • https://cdn.sqhk.co/xijogedobu/rigYwgg/la_liga_golden_boot_winners_2019.pdf
    • https://cdn.sqhk.co/jinubodilev/OfidrTh/hockey_scores_today_montreal_canadiens.pdf
    • https://static.s123-cdn-static.com/uploads/4530171/normal_5fe0e8ff487c3.pdf
    • http://wiinorama.fun/juxisivovudizajvdtee.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fasujenijasezos.rf.gd/teenage_girl_birthday_party_invitation_template.pdf
    • https://b3079848-b07e-4d89-9244-05dfa5dd91fe.filesusr.com/ugd/3ab5ed_ccb5732d9fbc4f609147a172b73d3392.pdf?index=true
    • http://zotowivivakav.rf.gd/kujido.pdf
    • https://c4cd0dbc-23d7-4f11-b65f-2561cec8abe5.filesusr.com/ugd/516793_694f2e01addf4c41bd6bbc46a3e887f4.pdf?index=true
    • https://f18b8dc1-3ce9-44bd-8712-01435d039869.filesusr.com/ugd/b97cba_192a7ff0c699471caa480ff15b4c68e0.pdf?index=true
    • http://vixekufu.epizy.com/free_will_astrology_gemini.pdf
    • http://mevipimep.rf.gd/9944030910.pdf
    • http://muzafevabuma.rf.gd/stanford_biomedical_informatics_faculty.pdf
    • https://1cf095b7-1d29-4152-b82c-7733cf7ba0c7.filesusr.com/ugd/c1de29_d8653b0c4ca14da9b4ac95be90bf6a4f.pdf?index=true
    • https://15e12281-0fef-4bb1-b284-2b61ddec1698.filesusr.com/ugd/6c5390_8aec1a1d8e114d408f932797b9488629.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fcfa.bin
ca641e2929457b8b40475442ca5bc5fa7d21c5c3aed1694c5baa517a4ee59fb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCFA 5800 bytes
font_01_sfnt_off000110b4.bin
ac1c19318601944cf21acfb672ba09cd1bd7d1c912d8aa8b46133112dc7c64c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110B4 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.