Malicious PDF — malware analysis report

Static analysis result for SHA-256 327cb7c24f7210ff…

MALICIOUS

PDF

124.1 KB Created: 2021-03-17 14:20:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc08c65b26a6e7915e3c863d9edb1cfa SHA-1: 9d89a268026ca98c232419863d00b0d7c9eb972c SHA-256: 327cb7c24f7210ffa6214f4bdcbecdc56adc16f8588ea8be54c494639443b629
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm designed to manipulate search engine results. The primary malicious URL identified is https://seumenha.ru/strik?utm_term=helix+lt+vs+pod+go. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=helix+lt+vs+pod+go
    • https://cdn.sqhk.co/vimewiki/gfgj2Xu/funny_animated_faces.pdf
    • https://cdn.sqhk.co/xexerekija/jiieFLy/minecraft_free_trial_vs_full.pdf
    • https://cdn.sqhk.co/mofijovelu/gi9hbid/z_nation_season_3_episode_2_review.pdf
    • https://cdn.sqhk.co/zugivakizo/hjiLvhg/animal_jam_classic_free_membership.pdf
    • https://cdn.sqhk.co/xuruwivagezu/hahi6MG/aadhar_card_correction_form_fill_up.pdf
    • https://cdn.sqhk.co/tosijoxopum/rjjAFpZ/pacsun_return_policy_online.pdf
    • http://vixixar.22web.org/95641393287.pdf
    • https://cdn.sqhk.co/bujerinalo/dgdidji/regal_cinemas_16_stockton.pdf
    • https://cdn.sqhk.co/tiluzegata/gf7BB5f/81389563484.pdf
    • http://tudewulowas.iblogger.org/monster_hunter_world_hunting_horn_guide.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5d94d51b-2702-4b64-8df3-eadd022f3edc.filesusr.com/ugd/2ddd39_03c403564ba74524b984913b02071d58.pdf?index=true
    • https://s3.amazonaws.com/zepifudoxapo/rapufewovodenajon.pdf
    • https://4cf6c2b4-cd84-4b73-83b1-bf7f441162b2.filesusr.com/ugd/e50c99_779a954865b54120af410f5c9d372176.pdf?index=true
    • https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_6a54f55017fb401cb8b19163d279551c.pdf?index=true
    • https://s3.amazonaws.com/magapeguwabe/matrix_determinant_worksheet.pdf
    • https://s3.amazonaws.com/devuxuzejozam/4298655777.pdf
    • http://towupew.epizy.com/jest_transform_babel_typescript.pdf
    • https://s3.amazonaws.com/lowebemuwojiso/problemas_politicos_en_mexico_2019.pdf
    • https://s3.amazonaws.com/lofese/aicte_approved_colleges_list_2019-_20.pdf
    • https://1347de4c-4e54-429a-b84c-372e60bc5a2b.filesusr.com/ugd/6c98bc_19f05cc4cc8a45d2ae89e3d6bf6d43f0.pdf?index=true
    • https://s3.amazonaws.com/vazisi/baking_sheet_chicken_breast.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000195aa.bin
de829b682933dbdba363f0e22790b68c520c74592bb44f5ac50fc9a128df2fb4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x195AA 10992 bytes
font_00_sfnt_off00013aa6.bin
1075108729e0f76a43d1e3170d2d0cc0b2b3f94db3d78634362c5edbafd71605		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13AA6 23468 bytes
font_01_sfnt_off000184e0.bin
440f59b7acd0f054e13f411626619742ce36457ef9662df020716d26e49c96c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x184E0 4908 bytes
font_03_sfnt_off0001b3d1.bin
a49fd59c39ca95081f4f2a7b7372d6fc128bd9af37d63755a1b5211e28b5b855		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B3D1 13984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.