Malicious PDF — malware analysis report

Static analysis result for SHA-256 30c915f3b983402d…

MALICIOUS

PDF

76.2 KB Created: 2021-04-03 12:58:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 5626bac42f61ad5713e8b63777b0f822 SHA-1: 22869b2b89758cff9a69a7668f7dad1d0dfb2272 SHA-256: 30c915f3b983402d6b920d7bf4c2b87c83d2caf911d777253a6a7bbd3938beba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. One of the primary external URIs, 'https://soxebez.ru/123?utm_term=sherlock+holmes+audio+books', is suspicious and likely leads to a malicious site. The document body, though heavily obfuscated, contains references to 'Sherlock holmes audio books' and 'wkhtmltopdf', suggesting a lure to attract users to download or access content from these links. The presence of multiple external links and the ML classifier's high confidence score indicate a malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=sherlock+holmes+audio+books PDF link annotation
    • http://mowefopovog.mywebcommunity.org/gunuzerasile.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369638/normal_5febaf79e3f24.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4385230/normal_5fec1db36f036.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366325/normal_60513ff2b48e4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4375204/normal_5ffd1909311fb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368488/normal_602d9cae2d933.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://78151a86-a557-4e49-81aa-a2539eea45c7.filesusr.com/ugd/204f4f_b51fc2bbad5a4d3083b27b03f8d80de2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gidibesuxi/jezugasidogozuxovefeb.pdfIn PDF document text
    • https://s3.amazonaws.com/galinikagopit/paxuduwuko.pdfIn PDF document text
    • https://s3.amazonaws.com/miwolezedubujoz/cdata_in_xml_format.pdfIn PDF document text
    • https://s3.amazonaws.com/tobaziw/dinokasipunagi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/86391e8c-5fb9-4d9c-b4f4-457b9a75e170/magic_tree_house_merlin_missions_27.pdfIn PDF document text
    • https://s3.amazonaws.com/sinadi/kelopilu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4dd8ee3a-c222-4b05-80fd-735fcbc279cd/what_is_sharia_law_in_malaysia.pdfIn PDF document text
    • http://belibivizonojo.myartsonline.com/71272488146.pdfIn PDF document text
    • https://e012ec00-e8e8-475f-a96b-80cab2ad705b.filesusr.com/ugd/3f1139_a220bf8b1e4844e4ac1111e24f1838ec.pdf?index=trueIn PDF document text
    • https://621cd70f-1aca-46de-91df-1bd8162c3e90.filesusr.com/ugd/9f1ad6_3299466b17c54d2ba7ecb345e699e6cb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/winumigutam/f_o_r_er_full_form.pdfIn PDF document text
    • https://s3.amazonaws.com/ruzumeb/pumajerasabemajutom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7273d2ef-ceba-470f-9680-de2a47628d64/when_to_do_morning_pages.pdfIn PDF document text
    • https://d17f4099-ecc1-42b1-9c73-51521793457c.filesusr.com/ugd/4a2613_d7a314a9ae1d4adc984a0ac84d6b92d6.pdf?index=trueIn PDF document text
    • https://709e7e89-b264-4d73-b757-064736ed86f1.filesusr.com/ugd/f523c3_c3ac3f43ded3461e876a358dfd7575ae.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nuxulikiwab/maths_worksheets_for_grade_4_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0f12feb1-50e2-46d6-a0e7-24490816000a/wolfgang_puck_rice_cooker_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41caca72-6ecb-4068-8114-8c1fb9adfd09/el_principe_de_nicolas_maquiavelo_frases.pdfIn PDF document text
    • https://s3.amazonaws.com/xokebore/sovovologavozogodanubore.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dec9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEC9 5180 bytes
SHA-256: ca9f40ffff5dee746dee2d0dce9585655e826a3e05ce3f1281397056c763f780
font_01_sfnt_off0000f04c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF04C 11116 bytes
SHA-256: ad9ba000199f1204236342aa94c2df59ba9b36c092251cf7646d5a00dcb03916
font_02_sfnt_off0001154f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1154F 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176

Open this report in the interactive analyzer, or submit your own file for analysis.