Malicious PDF — malware analysis report

Static analysis result for SHA-256 20209f1f7df28337…

MALICIOUS

PDF

102.9 KB Created: 2021-04-09 02:43:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c7e289fce2562519062ba78558ce0aab SHA-1: 4020c422720abb58f6a30f86093d2141a62b49f3 SHA-256: 20209f1f7df283373fc30c482b62c8f5e9310ac74bdf6c97a388789057b59759
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, with a critical heuristic identifying it as a PDF link farm. One of the primary external links, 'https://seumenha.ru/strik?utm_term=tubidy+mp3+gratis+descargar', is flagged as suspicious and likely leads to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9933

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=tubidy+mp3+gratis+descargar
    • https://cdn.sqhk.co/sejixikerut/jhgdhhL/equalizer_2_soundtrack_end_credits.pdf
    • https://raxagipob.weebly.com/uploads/1/3/4/8/134883443/vemumufedave.pdf
    • https://zunaxezosepoto.weebly.com/uploads/1/3/0/7/130739564/9688575.pdf
    • https://cdn.sqhk.co/matelasoguje/UetsPjc/arrowhead_golf_course_colorado_scorecard.pdf
    • https://cdn.sqhk.co/samekikogeri/jhdw0jc/barcode_scanner_app_free_download.pdf
    • https://munelexogetajax.weebly.com/uploads/1/3/1/4/131437313/40a19365d3f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tuxutedi/vozonosudetiwopize.pdf
    • https://uploads.strikinglycdn.com/files/5949cfab-3d8f-4a68-80c9-972c0bc1443f/19528260751.pdf
    • https://s3.amazonaws.com/tazibabebamep/resifevafinujemejel.pdf
    • https://s3.amazonaws.com/duzexefemosaxe/alex_rider_movie_2020_trailer.pdf
    • https://uploads.strikinglycdn.com/files/ae14e2d0-e476-41c6-a847-6816f84a0e05/how_to_wear_earbuds_without_hurting_ears.pdf
    • https://s3.amazonaws.com/rodakarugupoko/synaptics_smbus_driver.pdf
    • https://s3.amazonaws.com/jidagafinuxesu/face_detection_algorithm_java.pdf
    • https://s3.amazonaws.com/vuxalirudidel/vuxubusibakedoxixat.pdf
    • https://s3.amazonaws.com/vuliwisuwig/24849422503.pdf
    • https://s3.amazonaws.com/vavebufevodutob/9751419178.pdf
    • https://uploads.strikinglycdn.com/files/61ce1d93-671e-4425-9812-9de6648fbace/jamaica_kincaid_a_small_place_analysis.pdf
    • https://997b2cc2-d96d-4654-b184-8a5d7ad473c0.filesusr.com/ugd/b8d08c_29cc9d81180e4dd3beaa11d5db8f19ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b37db69d-e12d-45d0-8a9e-e3b9e309b6eb/wulukekelegalabewewobak.pdf
    • https://72b50e20-f79f-40ca-96b4-24bef83e308f.filesusr.com/ugd/1a1092_90928fd134ee4998a240ce5a8c30bf11.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f796.bin
8187145963fbf8e0b7977f93bb9cbfc296fb812f6e2b6f40a3c8d31ca5a797a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF796 6744 bytes
font_01_sfnt_off0001084c.bin
b24d73991966bd902893c4711acd3e2cd7ba1d66eab78252bed061e1fea3bb32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1084C 3032 bytes
font_02_sfnt_off0001131b.bin
0a42fba7fdce33b9ec437bc66ded7b25e16588e6952ad1d3a619441adfdd8546		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1131B 5716 bytes
font_03_sfnt_off0001266d.bin
d13f296f030b05d167872429658a99196482c03f4d9eb125323addd8d038eba3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1266D 4068 bytes
font_04_sfnt_off0001366f.bin
9918bb98c9a0f888c3818efa68ff4496bf2f8ba95d8dcb841e1c07fc898f5568		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1366F 13788 bytes
font_05_sfnt_off0001623e.bin
364f94cb8cddd70c8470235bfacb4396c819e3e4e08c2d5593d5772af2025ee8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1623E 17512 bytes
font_06_sfnt_off00017b6c.bin
c31ff2157c2fe831d557430cfbbe6f58bc06db1196113c7c0019dcad2e8bb9cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17B6C 6068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.