Malicious PDF — malware analysis report

Static analysis result for SHA-256 2728b6f08e140bd7…

MALICIOUS

PDF

91.0 KB Created: 2021-05-07 13:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93a4814fee2cd8979313c7d8e1eb35b9 SHA-1: a9d096c08a0c1a31d6b08ec4e8163b24c87b3283 SHA-256: 2728b6f08e140bd75a8f13921d3585cf8c83f7f822cfd4bd86cf7eac87bb9bfe
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which appear to be part of a link farm designed to lure users. The primary URL, 'https://pelibifir.ru/strik?utm_term=megastat+excel+2013+64+bit+free+download', suggests a phishing attempt related to software downloads. While no scripts were explicitly extracted, the PDF structure and numerous external links indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=megastat+excel+2013+64+bit+free+download
    • https://cdn.sqhk.co/nobixapo/hijfjhe/20676975399.pdf
    • https://cdn.sqhk.co/tavevalurov/hfIOibP/lezovodixeburikubevusijub.pdf
    • https://cdn.sqhk.co/novujarogoga/cjfijgg/honda_amaze_2018_price_in_nepal.pdf
    • https://zififawatef.weebly.com/uploads/1/3/4/3/134384507/bunakokagolebide.pdf
    • https://cdn.sqhk.co/rujiwujik/GjgfhbV/can_bunny_eat_popcorn.pdf
    • https://cdn.sqhk.co/kogewole/29FMjhQ/4th_grade_physical_education_games.pdf
    • https://xoxovumalojiru.weebly.com/uploads/1/3/0/8/130874224/jepaj.pdf
    • https://cdn.sqhk.co/vibebexez/agghjih/70405964053.pdf
    • https://zoxopabetil.weebly.com/uploads/1/3/1/1/131163737/0d52790286ce.pdf
    • https://cdn.sqhk.co/mekurapiw/iigjsef/red_ball_4_unblocked.pdf
    • https://nusuwexob.weebly.com/uploads/1/3/4/3/134352417/6379193.pdf
    • https://gisudilepa.weebly.com/uploads/1/3/5/3/135346020/kowubitexazexidetara.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a7da3e60-63c8-46c1-a846-eab7df628ed2.filesusr.com/ugd/bba345_e40c901c9a024f51a6d6868ed7d6ec32.pdf?index=true
    • https://s3.amazonaws.com/lomogas/wenudow.pdf
    • https://6f46ab72-b8e3-4ec2-8f01-cb5d6491dab7.filesusr.com/ugd/9a120b_a2651f130beb429881b4c515c7a7c792.pdf?index=true
    • https://d99c26cc-8c68-456d-a039-1a26994c8d26.filesusr.com/ugd/105a8c_acb0815f85fa42689c872cdf91c000a6.pdf?index=true
    • https://s3.amazonaws.com/rovuweraja/matrimonio_sobre_la_roca_en_espaol.pdf
    • http://zigugimevalevek.epizy.com/26200453029.pdf
    • https://s3.amazonaws.com/viromibukoleliw/wofopesija.pdf
    • http://togipumenotu.epizy.com/website_builder_apk_free.pdf
    • https://7e005a1c-fb68-43c1-af83-b854b6a2d282.filesusr.com/ugd/dcfb95_b2e97b653d0344f58539068ccc062f7f.pdf?index=true
    • https://s3.amazonaws.com/vedexajawo/how_do_you_adjust_the_temperature_on_a_masterbuilt_electric_smoker.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ab7.bin
48510ecefe2d8e693cac666b7e0dd6eb566a32c6c262e1b9281e20553690946e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB7 6224 bytes
font_01_sfnt_off00012016.bin
a42a50b2b2036fddc355a953b22ba54106bc60099e1f8abcaf28f943d90b891e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12016 12240 bytes
font_02_sfnt_off000148cd.bin
71b3c70877a07f920118f4c6ca13c2c85d760d9fd49c965fbba6477954a93e74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148CD 16244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.