Malicious PDF — malware analysis report

Static analysis result for SHA-256 35dc4bfff67124e0…

MALICIOUS

PDF

92.9 KB Created: 2021-05-15 05:46:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 730c624203d20d191a1653144ba4d7ff SHA-1: a5cc2301a2f9678b5cbb803a4113d1fa49929d47 SHA-256: 35dc4bfff67124e0289e217d843afe12830cceac35df8a746b0ee3bc486659a7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, with the primary URL pointing to a suspicious domain associated with phishing and malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'Consejos escolares de participaci social hidalgo 2020', likely to trick users into clicking the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=consejos+escolares+de+participaci%25C3%25B3n+social+hidalgo+2020
    • https://nesipemuwazona.weebly.com/uploads/1/3/4/8/134881126/dekoxiwugi.pdf
    • https://zavowajasobi.weebly.com/uploads/1/3/1/4/131406950/fa585eed1.pdf
    • https://cdn.sqhk.co/navimoxa/ig4ZXgi/divujopesi.pdf
    • http://fezufizibum.mypressonline.com/animator_s_survival_kit_free_download.pdf
    • https://vataripisak.weebly.com/uploads/1/3/4/6/134600115/149d3ec0c.pdf
    • https://cdn.sqhk.co/zojixemem/ibheieC/jujorudipolopilivozezo.pdf
    • http://wibimozuj.22web.org/rozopolabexibejabepoliju.pdf
    • http://bumumapa.mypressonline.com/84751592578.pdf
    • https://fulugive.weebly.com/uploads/1/3/0/8/130874350/a2ce1.pdf
    • http://felulam.22web.org/sumokonufexapufo.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/belapawerezuju/2003_toyota_corolla_stereo_wiring_diagram.pdf
    • https://s3.amazonaws.com/xilasisefi/icasa_registration_forms.pdf
    • https://s3.amazonaws.com/mokixetat/angular_format_date_function.pdf
    • https://s3.amazonaws.com/fajujiju/vixeg.pdf
    • http://wikukodukoja.onlinewebshop.net/technology_acceptance_model_definition.pdf
    • http://wepiliga.epizy.com/xavugexudapotuniwapinev.pdf
    • http://xozesaf.rf.gd/the_best_science_fiction_books_2018.pdf
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_ceae36ac6320422fb6d92fb1451fbfdf.pdf?index=true
    • https://034618a9-9b39-4f41-ad18-95bca1d1c80b.filesusr.com/ugd/48d9a1_85e928ce0b5a4936abed1a785d4ee17f.pdf?index=true
    • https://c2c662fa-00ac-4c69-bf5d-04da7d6c99e2.filesusr.com/ugd/9b33c5_36769e8af8bf46b9bbbddc7365541d2a.pdf?index=true
    • http://lugimeviguv.myartsonline.com/49613567257.pdf
    • https://s3.amazonaws.com/jezekemunidup/vovuxejibigowalajiw.pdf
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_d980b5e2b0b44feba6d843b03ba5c6b8.pdf?index=true
    • http://kubosew.epizy.com/35097906123.pdf
    • https://dd907c4b-492b-4b4d-bf3c-9f0b7a2bd2c7.filesusr.com/ugd/96a426_b437e6032e9c432f9db8dd24cdf8e36e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e04.bin
c7fbb65b48d51cf1162f801f812b02bb5c31d78fb71a26e700a57c3e2853855e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E04 1944 bytes
font_01_sfnt_off0001273b.bin
1e9db3f5a69daffec74839c2c739a2f6857f28b02736bdf67d08e99d78dcc16d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1273B 5728 bytes
font_02_sfnt_off00013a74.bin
b465ea7c9a57910e63df955c012f60d6730eccefb746ae7356b81c65487ab12f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A74 12524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.