Malicious PDF — malware analysis report

Static analysis result for SHA-256 32b3fc44110e763c…

MALICIOUS

PDF

71.8 KB Created: 2021-04-16 13:47:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66f89042b6441564b04190c647db1528 SHA-1: d7af5e4a6142d3a214fe69c77ca65ba4eaa866e3 SHA-256: 32b3fc44110e763c331d9c10cb05014249ff5febe4fbe64d6811838eb8fd0a1a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying a link farm. One of the primary external URIs, 'https://resalured.ru/strik?utm_term=mental+health+issues+definition+psychology', is flagged as suspicious. The presence of embedded links and the ML classifier's high confidence score suggest a malicious intent, likely related to phishing or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=mental+health+issues+definition+psychology
    • https://cdn.sqhk.co/levuzivanu/gjjiGPQ/9115132867.pdf
    • https://cdn.sqhk.co/misumirotoj/hhEYgie/54959436409.pdf
    • https://cdn.sqhk.co/zowipitilo/hgzhcAc/jijitesewepixevefurij.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/busutafitufe/nomination_form_template.pdf
    • https://uploads.strikinglycdn.com/files/fb70321a-3166-430e-8b3f-7992b469de1f/wanujotoziri.pdf
    • https://uploads.strikinglycdn.com/files/d3d63452-7dcb-400c-995d-1c4e64149d76/69325098732.pdf
    • https://6baea7ca-81e4-4a11-8410-716433a99462.filesusr.com/ugd/764aaa_c8683374d982492dac21e06cbc5ed993.pdf?index=true
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_152fbbc4ea5749808ae4e4cb5bfae99e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c84e0e4a-bcf1-459f-b01d-3856b0696144/marketing_management_russ_winer_and_ravi_dhar_4th_edition.pdf
    • https://1ceef7f3-d523-4f80-a0a4-3aed54d3d17a.filesusr.com/ugd/48841a_ca9f39f6eded4cc3929234b39eb68f49.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b52173dd-fe69-4eb4-be20-d69685808690/comcast_remote_control_codes_for_sharp_tv.pdf
    • https://s3.amazonaws.com/laginekux/crayola_crayon_costume_template.pdf
    • https://uploads.strikinglycdn.com/files/2a6be3ea-e15d-486b-b26d-f72182102234/84842559007.pdf
    • https://s3.amazonaws.com/fonazuzixagizir/best_omron_blood_pressure_monitor_australia.pdf
    • https://uploads.strikinglycdn.com/files/dad5ad19-4514-453c-8365-ff79e7eaccb0/52617905157.pdf
    • https://uploads.strikinglycdn.com/files/e51659be-08c2-4491-90a2-0499cbeefe5c/yamaha_mg166cx_price_in_bangladesh.pdf
    • https://s3.amazonaws.com/rimepusox/nba_2k20_badge_guide_reddit.pdf
    • https://uploads.strikinglycdn.com/files/25c998c7-d107-419d-a84a-878496cfe25a/black_nativity_play_script.pdf
    • https://uploads.strikinglycdn.com/files/e598c22f-f494-40b0-9577-696b2bec1b90/6983717126.pdf
    • https://s3.amazonaws.com/toliwudalamem/kenmore_progressive_canister_vacuum_belt_replacement.pdf
    • https://s3.amazonaws.com/dotivaf/dumb_ways_jr_boffo_s_breakfast.pdf
    • https://a49a6154-edc8-4132-95a2-c7bb8d673fe9.filesusr.com/ugd/551169_7453a23205d14bfb94374dd5c85e7b39.pdf?index=true
    • https://153f2bed-3501-4ec5-9468-ed1987511f6d.filesusr.com/ugd/f67134_26fafe0ed43a4a599eb926a332899144.pdf?index=true
    • https://s3.amazonaws.com/wupiwupiwot/revegowetudopowogorepef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da11.bin
87ad6af58a365a818a3803c1ef18fce0b71b39432257def43e3618982c392aa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA11 5428 bytes
font_01_sfnt_off0000eca5.bin
338217bbe604c05e581e8a66099f898f473648ed1c507b725f22b572a8f3c79f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECA5 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.