Malicious PDF — malware analysis report

Static analysis result for SHA-256 366dee2798067a6e…

MALICIOUS

PDF

80.2 KB Created: 2021-03-04 22:56:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a30dd259e81a72707007ce9ba88b992 SHA-1: d351bdc2a9edd919c0bcda76177c81e5d1112a5f SHA-256: 366dee2798067a6e7136026ad39ad647f0529c6b5e0d9800ccc4c482288c81b1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a technique often used for SEO spam or phishing. The ClamAV detection and ML classifier strongly indicate maliciousness, specifically flagging it as a 'Pdf.Phishing.Trojan'. The embedded URLs suggest the document is designed to redirect users to potentially harmful content or further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=ideal+gas+laws+worksheet
    • https://dumidonawusirug.weebly.com/uploads/1/3/5/3/135306770/ecba47357.pdf
    • http://patewukezevo.iblogger.org/35231685485.pdf
    • http://berilunowalaz.iblogger.org/ruxoseru.pdf
    • https://modizotu.weebly.com/uploads/1/3/2/7/132740501/3809107.pdf
    • http://elinekici.online/zopojosijarogaxu3ovvn.pdf
    • http://kellys.space/pesuzetepawefawewogajdbi2.pdf
    • http://gigojosok.22web.org/how_to_find_out_my_post_office_account_number.pdf
    • http://malespw.xyz/the_lost_ways_book_hardcover1vjx6.pdf
    • https://nidewusojob.weebly.com/uploads/1/3/1/4/131438556/suzaw.pdf
    • http://casbah2point0.com/genezinagirawu3q8b6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://adc0bc6f-2b4d-4951-bce0-9128d215fa34.filesusr.com/ugd/5ea4d5_90072202e9054bb0b759a1c2a8dc9624.pdf?index=true
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_aabc94da61154624853dbd9530ef5134.pdf?index=true
    • https://1801fa0f-56e4-4894-8452-b8e06651d4be.filesusr.com/ugd/868401_a9ef5344cbcc4e0a98f09f30dfee2822.pdf?index=true
    • https://502f924d-676a-41b3-8220-87c01882f600.filesusr.com/ugd/5a20bb_264abe58fd5040929158c938303ca214.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b842ed50-fc24-45ff-9695-03e3a48aa6e3/a_suitable_boy_watch_online_in_usa.pdf
    • https://5aa8e680-8815-421c-97bf-f42f9929cda1.filesusr.com/ugd/bae363_521a263bae264bcb8c9d27559d42cfd2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/52c6418f-40cc-4792-8fa6-7c1fa9e50c49/how_much_does_international_wire_transfer_cost.pdf
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_8adcf97d045a46a1a4cb2b8ad2026506.pdf?index=true
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_5bef82e2b1a6489299397514f9f761fa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a9324dfd-f621-45a4-97d8-7c853b78797a/which_countries_have_a_codified_constitution.pdf
    • https://uploads.strikinglycdn.com/files/ce6ba85c-f8de-42d0-8718-d3e96df8f7a4/63784597283.pdf
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_5874726d704f4655b218267da9a8b313.pdf?index=true
    • https://47a25507-5c4f-4e73-9b7c-0c49514c8174.filesusr.com/ugd/e00bd3_a81b989611ff40229ef0abbe1cd53e27.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f06e.bin
40bc1a683f49924d919f1a9d97d1e7ce465b76dc1400f4cafd217c47746c779c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF06E 4812 bytes
font_01_sfnt_off000100e5.bin
bfab1baacc872cbeda7c05414484a61e5911f1755332632f63a04a87cee1a161		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100E5 10184 bytes
font_02_sfnt_off000123c8.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123C8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.