Malicious PDF — malware analysis report

Static analysis result for SHA-256 350b13390f65145b…

MALICIOUS

PDF

81.4 KB Created: 2021-03-16 00:57:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ca382629db3fe34a224926b594b1af5 SHA-1: d52aa3731c29b1b68df8b1f668146a4fd8bfb4bd SHA-256: 350b13390f65145b2f9b35c4785925ebca870703d588833e77394fe0880819fb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are part of a link farm designed to appear as search results for specific keywords. The primary malicious URL identified is jumiwimov.ru, which likely serves as a lure to download further malicious content. The presence of a PDF_SEO_LINK_FARM heuristic and ClamAV detection strongly indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=the+accidental+prime+minister+book+pdf+in+telugu
    • https://rurusoweloxefug.weebly.com/uploads/1/3/3/9/133989150/nemelupakilope-dukawulem-munoxa-wazonejomida.pdf
    • https://pijaremurepapo.weebly.com/uploads/1/3/1/4/131406688/tijenolokap-wabud-vigexetugid-koguxazix.pdf
    • https://jawutasujo.weebly.com/uploads/1/3/0/9/130969833/pixosowofujigisag.pdf
    • https://mozimokitazipa.weebly.com/uploads/1/3/1/4/131407977/tuviraxitegamonazo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6ba3ec70-e589-4488-9210-83c48f1f4dca/xuludavifereviradivozode.pdf
    • https://uploads.strikinglycdn.com/files/5854e084-d617-4607-a469-19ed75213b3b/jifizoxojuvifezumuzevake.pdf
    • https://00c0516a-c822-4344-a779-6f74e039753d.filesusr.com/ugd/9e41f0_2471f55267d242fcb72a337744e1a0e8.pdf?index=true
    • https://s3.amazonaws.com/zafijukopa/1411439895.pdf
    • https://6d4a8fb0-9a8a-4850-8aa1-2b5706121c9a.filesusr.com/ugd/ff2e72_cff22f401e444153a5c7aa1a61b300b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/be7754ef-3668-4ce3-bb87-6af74bd24253/mubabagu.pdf
    • https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_9d19ccd70d654e998a8f51fe6832354d.pdf?index=true
    • https://s3.amazonaws.com/rizoli/mimavopafero.pdf
    • https://98cdd5c5-c43e-49eb-9373-39517e896cbb.filesusr.com/ugd/90661f_4476272aa42e4da8851ec520c987fc36.pdf?index=true
    • https://s3.amazonaws.com/jopomodilamego/fitipizovexesilidi.pdf
    • https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_fd1a47946f2d42d18dc2baf1c0f86d69.pdf?index=true
    • https://9d1e48ad-bcd7-4831-9b7b-7108443a63b6.filesusr.com/ugd/136d07_1fb8d1a25e3b4c6d9b671f2f1375e3a0.pdf?index=true
    • https://s3.amazonaws.com/tojabixefova/beholder_full_apk_free.pdf
    • https://uploads.strikinglycdn.com/files/26804ead-b666-47e5-8b7b-6b332247a956/what_services_do_mcdonalds_provide.pdf
    • https://uploads.strikinglycdn.com/files/f1ba516d-7087-44f6-862d-8759a3f8d866/verbal_reasoning_gre_percentile.pdf
    • https://510adc33-753b-44c0-977e-8d34da8fcdd4.filesusr.com/ugd/5f4192_129856ecd3ba48b5a4411ae9bb03a342.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe68.bin
96e2d405f7b60f1c87c40b8e5ac8230556da55fe0e94aeb61ef347fdc5f3979d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE68 5720 bytes
font_01_sfnt_off000111af.bin
7cd64fed4e73c1cba906d1765d8a8ed0a16e6d08119f03fb41193fbc4bb990ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111AF 11368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.