Malicious PDF — malware analysis report

Static analysis result for SHA-256 31239af2f0eb116c…

MALICIOUS

PDF

112.7 KB Created: 2021-03-21 00:03:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e99efbc160c7c423647cf19cc9a3b0a SHA-1: e25b71c42d409b56086df80b1cb2d4c087a269ba SHA-256: 31239af2f0eb116ced04186900589633092aedb5420f02c6aa508e32d00e9b09
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous external links, a common tactic for phishing or redirecting users to malicious sites. The primary URL, 'https://pelibifir.ru/wix?keyword=pocketband+pro+apk+full+version', suggests a lure related to downloading software. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=pocketband+pro+apk+full+version
    • https://cdn.sqhk.co/figoveraboj/cvLpja0/gevutevusipedorijobut.pdf
    • https://cdn.sqhk.co/nugopanage/hBhagiB/wodemajimox.pdf
    • https://cdn.sqhk.co/kidatufo/Njfd2ji/78552833331.pdf
    • https://cdn.sqhk.co/patagarinixa/jjhbgZc/68553640899.pdf
    • https://cdn.sqhk.co/nomevagume/Phau1hg/31378330200.pdf
    • https://cdn.sqhk.co/remonupode/hqMhc78/file_manager_windows_10_2020.pdf
    • https://cdn.sqhk.co/nisugavu/hcYFl37/xilaxoweperemila.pdf
    • https://cdn.sqhk.co/xivomojuf/QkWhigf/bingo_party_decor.pdf
    • https://cdn.sqhk.co/fitodofafe/mighbgd/basic_spanish_printable_worksheets.pdf
    • https://cdn.sqhk.co/fumazuri/jbhahgX/46115406741.pdf
    • https://cdn.sqhk.co/jozazixefuf/bXjejax/tewawuxiludovefetikafug.pdf
    • https://cdn.sqhk.co/vekotevudoze/fheqDrM/call_of_duty_warzone_map_size.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://abbf68a8-5b21-4996-91be-11266bd273ed.filesusr.com/ugd/9374a7_0610f4b5669748f1ab61e7cd5ca7cf74.pdf?index=true
    • https://30de3caf-c510-4ce9-8691-b8280dc60d9b.filesusr.com/ugd/4980ee_6cfca022fa024f478648f0fc5ab2fe26.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6bb2f077-adee-44d7-914c-9439a6d952b2/91164788629.pdf
    • https://uploads.strikinglycdn.com/files/b8f8ed58-a233-4f65-90ae-a214dcaf2566/39305303661.pdf
    • https://uploads.strikinglycdn.com/files/e1ad40e3-1eb6-4c3c-99a0-985d0bdef4a0/49769369878.pdf
    • https://uploads.strikinglycdn.com/files/95b39913-835f-45ae-bfa1-2e656cb92b82/10611192604.pdf
    • https://f5f74d4f-f804-4d9b-9bfa-9964b2756261.filesusr.com/ugd/e389b3_21d3bb071c6443aaa5b6fabc9d00da7e.pdf?index=true
    • https://6184de0c-c318-42a7-882e-c5ddc63b817d.filesusr.com/ugd/1c8c1e_f3a0c5493f354fbb9c4e145fe4ff2c13.pdf?index=true
    • https://e1eccfe9-8888-4f52-a155-e9c8e84e0752.filesusr.com/ugd/4fb05f_2e602371e89d4d879449e16d72ef0230.pdf?index=true
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_79e32b2e31df48eeb47a70e7da923457.pdf?index=true
    • https://2e4d99de-9d37-4ce2-abd5-0bbccafdbe51.filesusr.com/ugd/33a2e4_5f84340679894c949943675f4dc26cf4.pdf?index=true
    • https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_9722eaeaf07e4918aa85c074564110a7.pdf?index=true
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_2e67bacd8404452d9edc956fdd3f6dd3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000189d7.bin
6223b441c91e7e4d429321ba0a2794990e310301ad1b471c21da6f32bbff1118		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x189D7 24484 bytes
font_00_sfnt_off00014d67.bin
0f908b30601561f49583a6a2465eea96c7acd3d6b29c8a649cd37e08834bcbf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D67 5412 bytes
font_01_sfnt_off00015fe9.bin
bd8416c569157b5c1f6d21bd895e5257dd0928040a54bcae3844302968f51391		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15FE9 12316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.