Malicious PDF — malware analysis report

Static analysis result for SHA-256 239249fca21ad150…

MALICIOUS

PDF

86.5 KB Created: 2021-05-29 05:08:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 2dd477676ab17d7407f1160fb4828085 SHA-1: 2ea86e8ecfd3f859d0d49b77798d7e3efc9141d5 SHA-256: 239249fca21ad150d3091442294f3ef4e5de35ebc7031ae28a6dc65a716c51d6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high probability of malicious intent. The file contains a large number of external links, many of which point to potentially malicious domains, suggesting a link farm or phishing operation. The primary malicious URL identified is https://pelibifir.ru/strik?utm_term=ejercicios+de+caligraf%25C3%25ADa+para+primer+grado+de+primaria+pdf, which is likely used to redirect users to a harmful site. Although no scripts were explicitly extracted, the PDF structure and numerous external links strongly suggest it's designed to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=ejercicios+de+caligraf%25C3%25ADa+para+primer+grado+de+primaria+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4470399/normal_6005c9b1b2b4f.pdfIn PDF document text
    • https://sekilulijafos.weebly.com/uploads/1/3/1/4/131438177/pimosabasorizi_lapeb_viduf_fijopojuvuxuwi.pdfIn PDF document text
    • https://latijivetazemor.weebly.com/uploads/1/3/0/7/130775002/zolaf.pdfIn PDF document text
    • https://gebovobavafol.weebly.com/uploads/1/3/1/4/131406715/nukiv-dikowipubumuwa.pdfIn PDF document text
    • https://pudamokanijufe.weebly.com/uploads/1/3/4/5/134524046/7a940db58646.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482617/normal_5ffc63ec7d738.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4371523/normal_5fcea51ce4c2e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a78d015a-4db7-46e1-9836-da94b52171b1/the_killing_joke_comic_original.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27216e87-7924-46ab-be94-d9481d7a2d02/the_5_dysfunctions_of_a_team_by_patrick_lencioni.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8fbcdca-eb7e-43d2-9e3c-ce089ea0baf1/sizobonudawavedu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbfcf635-7e6b-4b32-86ad-3597001aed25/ms_drivers_license.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a122a1f6-286b-40b8-bc6c-9ce3e4ce9b9f/how_to_troubleshoot_gas_pool_heater_pilot_light.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/968cacbd-5248-492e-a523-a99973167fa6/52382758915.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/631e9cbc-dde3-4912-bdec-5792b3baaa3f/the_kybalion_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c462935b-e796-4ad6-ad20-6f244e5a496c/cuisinart_automatic_grind_and_brew_thermal_instruction_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d4d262e-0b2f-4ec7-97a9-895643d127c2/cricut_car_decal_application_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e08bd00-5b90-4807-a7fd-014dca1117cb/scag_mowers_parts_list.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28537b76-7389-4448-af46-25f45233036b/22613349595.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8877ac9c-83c3-4b60-bdf8-156767f1411a/ganajefowulim.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40614689-d568-423b-9d88-35ae70734fa0/fedizero.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b070a8cc-1776-4e29-9a33-5aa8f68c6c81/bovik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/31c85f78-fa6e-42ea-8611-0cb14d8a3c36/10520021341.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4b050ab-71a6-4d3d-a87f-1995bf299c12/xivivejaravazegux.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF22 5564 bytes
SHA-256: 3d39805b54e48646e1ac8a04d69a42193b66d33051499263abf8e128a28d1199
font_01_sfnt_off000101fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101FE 2092 bytes
SHA-256: 9fcfd2b2c12c9d480c0beec3ee39f05b9e518edc5177a7a5fcc68dff0371f8a2
font_02_sfnt_off00010b9f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B9F 11760 bytes
SHA-256: cda5d8284be58e1ab2009963311b7f7fc83b786453af0c37f98a315a8a9fba28
font_03_sfnt_off00013223.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13223 16488 bytes
SHA-256: 62983dd010b7aa238131a5b5fc9b5234e97605aad009cac054b686215e957981

Open this report in the interactive analyzer, or submit your own file for analysis.