Malicious PDF — malware analysis report

Static analysis result for SHA-256 3553eb9f247de703…

MALICIOUS

PDF

80.2 KB Created: 2021-05-27 04:52:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e121fa3844f5a3cd0bb9d5f7d5547fb3 SHA-1: 7b582e7b0ce0edb2b9ddd7f9ed0059166532f3fd SHA-256: 3553eb9f247de70399961350433296f429f89490d9c594ebddceec4b34216cd9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution scheme, likely initiated via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=marvel+super+heroes+vs+street+fighter+how+to+switch+characters+ps1
    • https://bonagimeduvutup.weebly.com/uploads/1/3/1/4/131453121/7222240.pdf
    • https://cdn-cms.f-static.net/uploads/4411231/normal_6035e524d5eda.pdf
    • https://vikaworapelesob.weebly.com/uploads/1/3/4/7/134702945/3520767.pdf
    • https://static.s123-cdn-static.com/uploads/4486975/normal_6005f31c26a9f.pdf
    • https://cdn-cms.f-static.net/uploads/4413120/normal_5fdb33fd8bc02.pdf
    • https://cdn-cms.f-static.net/uploads/4455890/normal_5fea1d92a296a.pdf
    • https://senesawepemij.weebly.com/uploads/1/3/7/5/137503152/mexat-lotiweg-jaferiropesa-meboxobelo.pdf
    • https://mufanujirube.weebly.com/uploads/1/3/5/3/135348440/ee1dfb6f953.pdf
    • https://renezotutumiw.weebly.com/uploads/1/3/5/3/135343322/2165344.pdf
    • https://cdn-cms.f-static.net/uploads/4375350/normal_5fda5cdf99476.pdf
    • https://cdn-cms.f-static.net/uploads/4488582/normal_605946c030cf7.pdf
    • https://cdn-cms.f-static.net/uploads/4500201/normal_605c73faf313b.pdf
    • https://pinobuni.weebly.com/uploads/1/3/0/9/130969003/vuter.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/9c2e0226-eac7-40bd-9511-cf12c2ed78a3/bipib.pdf
    • https://uploads.strikinglycdn.com/files/fe787c90-9e09-466d-9f0c-c72f0290fbf2/3879473953.pdf
    • https://uploads.strikinglycdn.com/files/dfa06107-526c-455b-9360-407aa914adc4/ncsu_computer_programming_certificate_reddit.pdf
    • https://uploads.strikinglycdn.com/files/47c72ae8-7f71-4487-9781-7a1fabd0e68e/javudedut.pdf
    • https://uploads.strikinglycdn.com/files/1e20dceb-c898-4c68-8990-ac5d0f36a1b9/a_raisin_in_the_sun_movie_cast.pdf
    • https://uploads.strikinglycdn.com/files/4d4911be-9c50-4b0b-a2d1-c1eabb80c6c6/99659268576.pdf
    • https://uploads.strikinglycdn.com/files/603812c7-e7de-49dd-b018-fca4a8c7ac2e/89646270461.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9b0.bin
06327bb23858d1e9657bbe165331968db74c71184ffc304f33c9c85abfd1b6a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9B0 5264 bytes
font_01_sfnt_off0000fbdb.bin
3e57251d7e8564ea99822ae7364c4bb512aa57e29030d829f3f5a63a7f349cc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBDB 11412 bytes
font_02_sfnt_off00012295.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12295 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.