Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e15e8ff6819715a…

MALICIOUS

PDF

85.1 KB Created: 2021-05-18 15:44:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62f4d09f6387b3286dea789c5842921d SHA-1: b49f1b46400dfc9b76e36885f42f9b3b75514bae SHA-256: 3e15e8ff6819715aecd8d9f6571918b2c48a5ef4c18552416603f0feafe94458
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to PDF files with numeric slugs, indicative of a link farm. The document body, though heavily obfuscated, contains a title suggesting craft instructions, a common lure. The presence of PDF_SEO_LINK_FARM and PDF_URI heuristics, along with ClamAV detection as Pdf.Phishing.Trojan, strongly suggests a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=instrucciones+para+hacer+una+manualidad+sencilla+con+papel
    • https://litukepulaj.weebly.com/uploads/1/3/4/8/134863372/9612a2c4.pdf
    • https://jubigugatuse.weebly.com/uploads/1/3/0/7/130775741/4809077.pdf
    • https://static.s123-cdn-static.com/uploads/4501057/normal_5ffc992cabe20.pdf
    • https://cdn-cms.f-static.net/uploads/4460247/normal_606b98c36abe3.pdf
    • http://tugidunamoz.22web.org/96117654984.pdf
    • https://static.s123-cdn-static.com/uploads/4420031/normal_5fc67f1de5937.pdf
    • https://rifuvosibimav.weebly.com/uploads/1/3/5/3/135383082/tinag-xanuwakif-jajus-zipovop.pdf
    • https://posasuzu.weebly.com/uploads/1/3/2/7/132710669/5030062.pdf
    • https://kogezuzoxato.weebly.com/uploads/1/3/1/0/131070880/5905667.pdf
    • http://kuvovizufez.22web.org/bladder_training_journal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/2eb6e61b-1866-437b-968e-c65593c0c895/53382075817.pdf
    • https://uploads.strikinglycdn.com/files/72a566a8-fc09-45ac-8d13-8458c1d5af47/nikopotaxemagubakaneno.pdf
    • http://litaludoxuba.epizy.com/bayesian_method_for_hackers.pdf
    • https://uploads.strikinglycdn.com/files/72172a89-1955-4854-97aa-69608a7832e6/jetuvoju.pdf
    • https://s3.amazonaws.com/kovilowab/mufonizejolipiribakeki.pdf
    • https://uploads.strikinglycdn.com/files/d1f6f92b-6593-435e-b4f3-7359c575cf7a/what_is_a_secret_love_on_netflix_about.pdf
    • https://s3.amazonaws.com/tixedujegibex/47446769664.pdf
    • https://uploads.strikinglycdn.com/files/61df1113-2fe9-4f62-b23c-c004fcae0e8a/reloparev.pdf
    • https://uploads.strikinglycdn.com/files/825f1bf3-19b9-4a3f-81ea-30f974061494/how_to_connect_presonus_audiobox_usb_96_to_ipad.pdf
    • https://s3.amazonaws.com/rovuweraja/jvc_smart_tv_apps_disappeared.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102e9.bin
394aadbf366eb6dba19447a7c06d395ecd7d98095263a0f0f0669bb63d069b67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102E9 5132 bytes
font_01_sfnt_off00011418.bin
0a658d95eaff3b94118455be0a6b56ac7b8655246cf15e1fd84d89a9b7a15ffa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11418 13060 bytes
font_02_sfnt_off00013d89.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D89 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.