Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a29a5488dfe70bd…

MALICIOUS

PDF

78.5 KB Created: 2021-03-16 23:53:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d36f129c9ebd5762d89df4c570890686 SHA-1: b452b7855cd87aa99e91a8c51cc48f98a074c53a SHA-256: 3a29a5488dfe70bda9e331da2226d45a18ed33f4d66b9630f772ae9afd53d190
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, pointing to various domains, with one notable URL being 'https://vilenefex.ru/wix?keyword=smash+flash+3'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. No scripts were extracted, but the structure suggests an attempt to leverage SEO tactics to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=smash+flash+3
    • http://dress-russia.ru/94548493588uoto7.pdf
    • http://copyright-help-center.com/lujor9qdi2.pdf
    • http://tehnotop.space/699805808807m5md.pdf
    • http://sentytld.online/304691977141j9kx.pdf
    • http://godulonu.22web.org/javascript_array_contains_performance.pdf
    • http://pububasolemi.22web.org/wondershare_tunesgo_9._6._3_crack.pdf
    • http://argo-tourism.com/how_to_smoke_a_12_lb_turkey_on_a_masterbuilt_electric_smokery3yg2.pdf
    • http://zakemelevij.iblogger.org/37264471166.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bedec51f-0d5a-40a9-bf9e-c051c674654a/80254335179.pdf
    • https://1ebfeea1-7d02-43b8-8f0a-002c87bc7f75.filesusr.com/ugd/50dcf6_4f031bcf7bfe4dc28ace7e2ab53267b2.pdf?index=true
    • http://kimabajakagun.epizy.com/lennox_pulse_furnace_flame_sensor_replacement.pdf
    • https://uploads.strikinglycdn.com/files/ec5634b1-2e04-4a21-bf20-d797e66f9ba4/xigitewobozaru.pdf
    • https://uploads.strikinglycdn.com/files/e922f6e3-a363-4a9b-8977-b896d91b8026/how_to_buy_rose_plants.pdf
    • https://uploads.strikinglycdn.com/files/3fe77471-c40c-41db-93b8-34344ff36187/best_self-tanner_for_sensitive_skin_2019.pdf
    • https://uploads.strikinglycdn.com/files/74a373db-55f6-4dc3-9aa7-0ae596be48f0/honeywell_tower_fan_replacement_filter.pdf
    • https://uploads.strikinglycdn.com/files/0dfcb256-c846-4f7d-9951-2842b0dbe6f7/xunosavegaxobozipunara.pdf
    • https://be1d055c-b83b-422e-9e68-1bf13cef350c.filesusr.com/ugd/5b1e3c_722b123ac59147ba944468f39ff2d857.pdf?index=true
    • https://s3.amazonaws.com/xazarujokemus/before_the_flood_movie.pdf
    • https://s3.amazonaws.com/zazelujeju/attunity_supported_platforms.pdf
    • https://a1b876fd-e98f-4594-996d-fc523792ae9e.filesusr.com/ugd/efcbf0_f6d03086cc7c46f3a822f1349aeafd00.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b752ecc-3874-46cc-9217-b5d4a6e763c5/cuanto_es_5.5_pies_en_pulgadas.pdf
    • https://144c9d4d-401b-437b-b89f-6a5816d7da47.filesusr.com/ugd/cd33f5_5a9c66e660d742729c45a48174c5b7a8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/24983610-61fd-4d43-8089-8ccbdb08e18b/is_real_national_income_the_same_as_gdp.pdf
    • https://uploads.strikinglycdn.com/files/1ab10e8e-1bf3-44b4-9ea5-428d33e2141d/gudedikopawowexudajiji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebf4.bin
0e36dee5148a63222e843e78c2d2be8543fb87ef5e13d8c54ffd72ff5d2f5eb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF4 5176 bytes
font_01_sfnt_off0000fd65.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD65 1800 bytes
font_02_sfnt_off000105f3.bin
52d3b91747ab97de137d7477660a06c4ddf7b109caed508007d9c26e596489cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105F3 11432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.