Malicious PDF — malware analysis report

Static analysis result for SHA-256 34232f85863b1869…

MALICIOUS

PDF

77.8 KB Created: 2021-05-06 15:41:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40af1bf558bb57ffcc8ea220c605b42c SHA-1: 571f275d8d516d8ad8a003c9055209ba87da982f SHA-256: 34232f85863b1869926257681cf6773afef76d068d2a762f7859fe4d976abae7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. It contains a large number of external links, many of which are to potentially malicious domains, suggesting a link farm or phishing campaign. The document body, though heavily obfuscated, contains keywords related to 'French times grammar' and application metadata, indicating a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=french+times+grammar
    • http://bifovogixugot.22web.org/guide_nutrition_sportive.pdf
    • http://xewuxufulizifu.22web.org/college_interest_survey.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://656adf98-7a81-40bd-8d0f-2b9c27d09201.filesusr.com/ugd/268ab1_f07d61af728748afb46fa9a07608a6a9.pdf?index=true
    • http://kikivalisexe.epizy.com/android_app_bar_background_color.pdf
    • http://jesebikalag.epizy.com/ieee_template_word_file.pdf
    • https://8546b567-499d-44cb-812b-f4cb210fa0cc.filesusr.com/ugd/1f0b74_750ddb5a596a40bf8c3472bc2d186b0d.pdf?index=true
    • https://83d12552-0bc1-4415-b221-1da25caacb9b.filesusr.com/ugd/1e11d0_6bd93103ec2f4295a956a13442df9369.pdf?index=true
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_fec155e8de004b27ab3e9bb4656c74ae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0c7518c2-89fd-46ee-8c90-0ba4061f2253/the_r_book_amazon.pdf
    • https://uploads.strikinglycdn.com/files/f3af44ba-8181-4fea-932f-f7de3517c356/togitimaxodazetarusa.pdf
    • https://e8f98835-b194-42a5-b43f-fe2f29920dd6.filesusr.com/ugd/bf650e_7725233448194d7e991354fe887acd65.pdf?index=true
    • http://naxolop.rf.gd/percy_jackson_greek_gods_ar_test_answers.pdf
    • https://uploads.strikinglycdn.com/files/6bc180c7-46dd-43e1-8cf0-f2c52c3cc0cb/kuxijakuvitunatilaza.pdf
    • https://a815f367-2516-4b88-9496-eed07d5c1eb7.filesusr.com/ugd/665c20_0f0964f786cf4791855ecbff116ce1d3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f8863b18-a2e4-40a4-bfff-46df9afbd8f8/28886111456.pdf
    • https://uploads.strikinglycdn.com/files/556225ec-5fc6-4f56-93b6-30ec5b56d62e/new_york_driving_permit_test_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/74b96d1a-c349-4314-8b51-bb541b445a08/calling_smartwatch_under_3000.pdf
    • https://ee67c5b3-b4d3-4257-b425-af55881d3a68.filesusr.com/ugd/c60da7_535e6f090857482a9e8114073aa5ec40.pdf?index=true
    • http://zikinevubebera.epizy.com/7196568238.pdf
    • http://bosefijov.epizy.com/psychology_statistics_for_beginners.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f295.bin
16851897c34ebc74c89b9cbf1533bbe641e03a6ce5c6212829d725115216bef1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF295 5136 bytes
font_01_sfnt_off000103e3.bin
42e613bbd8d908a1613ec82e5bc0aeb7279f48da1229876a9311c37e69113b65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103E3 11968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.