Malicious PDF — malware analysis report

Static analysis result for SHA-256 26cec41aa50b6b02…

MALICIOUS

PDF

77.5 KB Created: 2021-04-24 22:43:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b1d78e09057d67d54084fb39b51a413 SHA-1: f1096c792ea801333b468c38ebf36f5ce8acfa9e SHA-256: 26cec41aa50b6b021ce76a0f11050d3c3e4a48b4e2823348edce3fea3eeb63e8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of external links, many of which point to PDF files hosted on link farm domains, suggesting a SEO poisoning or phishing campaign. The primary external URI points to a URL that appears to be related to a treadmill sale, likely a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=proform+505+cst+treadmill+for+sale
    • https://xofeboje.weebly.com/uploads/1/3/4/5/134584890/4f4cb080f41bc.pdf
    • https://xabonawof.weebly.com/uploads/1/3/5/9/135965837/3812403.pdf
    • https://riveveketudoj.weebly.com/uploads/1/3/4/7/134706505/b75198d96999.pdf
    • https://wewodagib.weebly.com/uploads/1/3/4/2/134266566/93dd2130fb320f.pdf
    • https://fijozemubo.weebly.com/uploads/1/3/4/2/134234573/zukemivulema-jukosapujo.pdf
    • https://bizavewes.weebly.com/uploads/1/3/5/3/135323934/pumapigemupe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0ec58ff2-4a90-4609-b80b-003041c8e50d/herman_miller_aeron_for_sale_near_me.pdf
    • https://72a23b54-95c1-47c0-80d6-f7b1310faeb8.filesusr.com/ugd/65b209_ea1d7025968f48d6a6659b96f9cc08fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1bd565a5-8cdf-46d5-8471-9d0c60228f7b/secciones_revista_literaria.pdf
    • https://uploads.strikinglycdn.com/files/c3058662-0c55-403e-a89b-d6b850bf5295/82437512429.pdf
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_07c2fffd99184a83a462151529470e8a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ea4dcb95-2ddb-43a2-b87c-9ffc3a209676/74976355089.pdf
    • https://87d5e434-dc39-4d64-8681-877d64e204d5.filesusr.com/ugd/5660ac_0fc9498c4d424e3cbcd25381dab5cab3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7b81b7ce-daa1-4e85-8aec-cbd9f7c07396/51717784696.pdf
    • https://006b50d4-ad2a-4261-8279-34542eb0d7b0.filesusr.com/ugd/a640e9_da43212481934b91ad9bc3895ae5f906.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d297f0b0-b250-4372-99b4-71b64ccc277f/wonuxe.pdf
    • https://uploads.strikinglycdn.com/files/54489783-b7af-4568-8138-83cc5eb8335a/pamopaxalabotagirimux.pdf
    • https://uploads.strikinglycdn.com/files/9b323850-c9ce-42da-bbbe-3cddfd60de34/yasar_nuri_ozturk_kuran_meali_dinle.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edfa.bin
a14d882868e6113b85cf58d0fc2969a859d3623abf34f16e0f0a1a76177d76a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDFA 5436 bytes
font_01_sfnt_off00010061.bin
41041f355cf387d24bf3cce330addd6ee8a3ead42c494fc8ace84e4b621d535f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10061 11864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.