Malicious PDF — malware analysis report

Static analysis result for SHA-256 241d5f8bc4aaf166…

MALICIOUS

PDF

82.0 KB Created: 2021-03-18 04:38:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0e3471ccbb072321d73176d59702bf7d SHA-1: 7785e26731871ae08721ff1cf5b67798a22f1232 SHA-256: 241d5f8bc4aaf16649e3730518b79d8e2cbf228e916111c2d3b2573b78512d61
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a significant number of external links, with one pointing to `https://lozipotod.ru/wix?keyword=june+2016+algebra+regents+answers`, suggesting a link farm or phishing lure. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic further support the attack pattern of directing users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=june+2016+algebra+regents+answers
    • http://miiliioner.xyz/moleratewagazajulavufabu93zfl.pdf
    • http://it50life.pro/1263025173mvclh.pdf
    • https://static.s123-cdn-static.com/uploads/4383304/normal_5fceb58b7ba32.pdf
    • https://static.s123-cdn-static.com/uploads/4486550/normal_5fed176059eb0.pdf
    • http://opensoda.pro/prevailing_wage_scale_texasqe7xt.pdf
    • http://jesiwufap.iblogger.org/zofobutuzukunodekeb.pdf
    • https://cdn-cms.f-static.net/uploads/4419218/normal_5fe70eb52d09f.pdf
    • http://healingtunes.ru/zavomomigabudevexasanarusbi98y.pdf
    • https://static.s123-cdn-static.com/uploads/4443617/normal_5fe12b5fe36ec.pdf
    • https://static.s123-cdn-static.com/uploads/4385633/normal_5fe594fbb5c1b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2f05b6c0-7cfa-46f4-a0e6-5cf02a754ff5/acer_t232hl_manual.pdf
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_3421adaeae094a02b99f3ac20fb49da7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5a6e6357-87b5-40ef-a2b7-781d35774f94/4914839271.pdf
    • http://wowimiberosodav.epizy.com/vitupodojitatadez.pdf
    • https://9849c7ec-8b19-4b81-9a64-db2537ea7c40.filesusr.com/ugd/97b1c0_414ff32be6e74195a0e02b5a4851a9c5.pdf?index=true
    • http://madukavinoxonal.epizy.com/aventus_group_annual_report.pdf
    • https://4f65703b-d4c0-4c9c-9e30-73c8cc83ec5d.filesusr.com/ugd/54fa57_e4bc545fda57438f903384f567f84b06.pdf?index=true
    • https://8e0cabef-d481-4215-b437-8a5fc4e4723c.filesusr.com/ugd/f41140_6c06a5b55db54472a23511f5552c1c9a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/50836f6b-cedf-4b37-bbe7-2a0c1a4becfb/kozonegaletaputur.pdf
    • https://8dfdba76-182f-4dc4-9dda-37a8c8d09dc9.filesusr.com/ugd/4ae4db_a25e292e7dd84db183515f89c43cff8c.pdf?index=true
    • http://lugukejuraxa.rf.gd/intermediate_christmas_piano_sheet_music.pdf
    • https://3e1d1bad-f645-4ebd-ac75-469e7ff7c972.filesusr.com/ugd/e745be_06a081daa6574e70bf87271e41efcece.pdf?index=true
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_c0a2839484174b4e914e2711b2b68a0f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4ef9a603-6ad7-41c3-b53b-73e6a950739d/what_is_definition_of_curriculum.pdf
    • https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_50b3e0a2fbfb4199804c8251a7a7620d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b2cc6d57-6549-44fe-ba54-4d0f361047f6/fopuwixugadare.pdf
    • https://0fdd9f25-8366-4660-9463-376fd915ad39.filesusr.com/ugd/c16cf9_be100d1b1db64454b7355ad767d99acc.pdf?index=true
    • http://jupelujunu.epizy.com/thanksgiving_worksheets_for_second_graders.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffce.bin
af59c2af2df0009b5f47248ba8a120b71cc67f425aad0a15049d3b7dd7366646		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFCE 5552 bytes
font_01_sfnt_off000112db.bin
75fcc38d0f78b822cd98fb65d170721437685835ffb8b41e1ef2e09b89f2f78f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112DB 11540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.