Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a034d52175f50f7…

MALICIOUS

PDF

96.8 KB Created: 2021-03-16 05:24:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b2f88c9946045a43532bc3a5804d639 SHA-1: 85f7fe17cf7919fb4890853746d17b8a2bf61221 SHA-256: 3a034d52175f50f7eb971f20009c0261796d6dd6e59838ae9b816201e47919b4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing indicating a large number of external links, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate maliciousness. The document body, though obfuscated, contains text related to an 'admission form', aligning with the phishing lure. The presence of embedded URLs and the PDF structure suggest it's designed to redirect users to malicious sites, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=admission+form+pup
    • http://sokobumoxagug.scienceontheweb.net/32884398858.pdf
    • http://degitowexara.iblogger.org/bilasokisajuvegopidelen.pdf
    • https://redelonoxoti.weebly.com/uploads/1/3/1/6/131606094/524250.pdf
    • http://pifowovumuwe.medianewsonline.com/59139495293.pdf
    • https://nigukaxo.weebly.com/uploads/1/3/1/4/131453065/vurup_favunokekog_sazexukawewozaw_karutumaja.pdf
    • https://salexutoxor.weebly.com/uploads/1/3/4/7/134761189/8341368.pdf
    • http://kuxogajow.iblogger.org/vivubopivufunexan.pdf
    • https://rilavowa.weebly.com/uploads/1/3/2/7/132740415/6174472.pdf
    • http://lewodazegozi.iblogger.org/12th_computer_science_public_answer_key_2018.pdf
    • https://jawejeletisib.weebly.com/uploads/1/3/4/8/134886371/dozugalovatogig-lewumulav-gofaludij.pdf
    • http://gufosizikok.22web.org/pepupoputoxuwedoxidefe.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tuxefefili.epizy.com/case_study_marketing_strategy.pdf
    • http://kozogasivufi.myartsonline.com/92351708943.pdf
    • https://s3.amazonaws.com/rimepusox/70045113828.pdf
    • http://zafovitunopejus.epizy.com/97251248114.pdf
    • https://s3.amazonaws.com/rojalexipokadaz/fijowididivifodasa.pdf
    • https://s3.amazonaws.com/xufujofaleki/lab_report_format_cover_page.pdf
    • https://923a8ca3-316b-4844-b38f-9bc955ad4852.filesusr.com/ugd/312e0e_7ca1c053c6e649f4bd313bbd9209449d.pdf?index=true
    • https://s3.amazonaws.com/taguxif/xipekaguripabarulagisas.pdf
    • https://e510c2d5-567e-4a96-89ff-abc18316baf7.filesusr.com/ugd/8a9bcc_bc1e6e5992a34731a11a0c4fac8b1d31.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00014ebe.bin
3bad0eb66e5f49198931f2414c5a1e6e20a78e69c9b8bf8048f8ae3af73b1c0f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14EBE 12240 bytes
font_00_sfnt_off00010c02.bin
64bfcfbe47a3d97f86a6481d0ec2d6ad9d7989995ff622927dac103dd221ec5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C02 4936 bytes
font_01_sfnt_off00011cb4.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CB4 3720 bytes
font_02_sfnt_off00012817.bin
96c97794b3dc1684b3c640b85c55bac3fa907e438081c06ed0b624e0b8d0a2eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12817 11304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.