Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b464a7d08a752f2…

MALICIOUS

PDF

76.5 KB Created: 2021-03-14 23:12:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa0eb20dc6e4f55acb437a81fdc107a6 SHA-1: 1a5d6640429a3b05936f1bd373416e361ac5756a SHA-256: 3b464a7d08a752f2d48008e4965950dd6abb16203d56617db99f2e9c7f00063a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant heuristic firing indicating a 'PDF_SEO_LINK_FARM' suggesting a large number of links pointing to other PDF documents. One of the primary URLs extracted, 'https://mezovuduw.ru/wix?keyword=structure+of+the+heart+worksheet+pdf', is associated with a phishing heuristic. ClamAV also detected the file as 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0', further supporting a malicious classification. The document body is heavily obfuscated, preventing a clear understanding of its direct content, but the heuristics and URLs strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=structure+of+the+heart+worksheet+pdf
    • http://tewatag.medianewsonline.com/singapore_math_1b_textbook.pdf
    • https://cdn-cms.f-static.net/uploads/4406481/normal_5fe92b45c37d4.pdf
    • http://zizodoroluxonaf.sportsontheweb.net/factoring_trinomials_practice.pdf
    • https://cdn-cms.f-static.net/uploads/4405420/normal_6045e114111de.pdf
    • https://cdn-cms.f-static.net/uploads/4465924/normal_5fd813cd28f38.pdf
    • https://cdn-cms.f-static.net/uploads/4366312/normal_60143c767561a.pdf
    • https://static.s123-cdn-static.com/uploads/4415331/normal_60050d95d0daf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ecea015d-e062-4740-9033-d75345094aec/resumen_de_edipo_rey_y_sus_personajes.pdf
    • https://uploads.strikinglycdn.com/files/89488101-9c78-4b40-b002-04eb92b0abe1/how_to_train_your_dragon_4_full_movie_in_tamil_download.pdf
    • https://aefbb2f1-1cfc-4a48-aab2-d72547d84173.filesusr.com/ugd/2f3ac6_db504a5766a94123966e3731f5f73b1f.pdf?index=true
    • https://s3.amazonaws.com/sulasatevirexo/36932817159.pdf
    • https://uploads.strikinglycdn.com/files/adf38f82-1f5b-4603-b94a-df8c3017703e/project_x_lz_6.0_reviews.pdf
    • https://s3.amazonaws.com/divelatoxa/coffee_grinder_manual_vs_automatic.pdf
    • http://vimixof.onlinewebshop.net/is_nigeria_a_free_country.pdf
    • https://uploads.strikinglycdn.com/files/09adc00c-9eb8-4d49-b5a5-a046d2a640d7/66079374368.pdf
    • https://uploads.strikinglycdn.com/files/bc9f85f2-d59c-44c9-950e-6c80f670d06c/zakogudovivebajazi.pdf
    • http://nibizuladode.onlinewebshop.net/pavilion_dv6000_price_in_nigeria.pdf
    • https://421fb4ee-74d7-4aa9-a258-3f705df1d95e.filesusr.com/ugd/94e5ef_7cb748bf70a444c7a7a92223753d0a37.pdf?index=true
    • https://s3.amazonaws.com/xisefowu/fetosubugamo.pdf
    • http://livirava.atwebpages.com/the_book_of_the_courtier_significance.pdf
    • https://6754c94d-8795-460a-880d-d127bb37d4d4.filesusr.com/ugd/2383dc_4f74ca5f4aa34cb2b0f990027c0211f2.pdf?index=true
    • https://s3.amazonaws.com/kumasala/winavagus.pdf
    • https://6d4cd3b7-91e9-43ac-92b9-205473f1e50d.filesusr.com/ugd/28146e_db3af73bbfdc4f8784f3b56aaae13d6d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5e72362d-3e8f-4632-b0ad-3a009e5a9a3a/will_144hz_work_with_hdmi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee50.bin
6c51c2511a06ee64784e1cd5e80f5ce3def2ca51c770474cdf8a95a756696e49		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE50 5472 bytes
font_01_sfnt_off000100f8.bin
f77566b2947245f37b9641a9b5e68fe86f422852d120fea2f7d2cb34e48b5bf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F8 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.