Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ef215528ab54f95…

MALICIOUS

PDF

90.5 KB Created: 2021-03-24 08:15:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd024b3cbd4d9b60061c9d346c2380c9 SHA-1: 4b1b1dc2a5b2ff6e1fe46c1c74dcd75fa9aa7b5f SHA-256: 3ef215528ab54f952c8154af29eb1ec7540379f8ea36e94af6ce8d13524a4ef1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results or direct users to malicious content. The primary external URL, 'https://soxebez.ru/wix?keyword=how+to+use+viper+remote+start+on+manual+transmission', suggests a lure related to vehicle operation, potentially for phishing or malware distribution. ClamAV and ML classifiers also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=how+to+use+viper+remote+start+on+manual+transmission
    • https://cdn-cms.f-static.net/uploads/4485012/normal_6014712092915.pdf
    • https://cdn-cms.f-static.net/uploads/4447464/normal_60421ebc01457.pdf
    • https://cdn-cms.f-static.net/uploads/4393772/normal_605381a8c2848.pdf
    • https://cdn-cms.f-static.net/uploads/4474978/normal_6015c5eaa53f2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/878395d1-a1c6-418a-b6c5-fc66f2dfe65b/biwibozidezewapifobijogu.pdf
    • https://uploads.strikinglycdn.com/files/65c46d53-0844-4c08-9344-5ddc78b6ea9e/95629491975.pdf
    • https://uploads.strikinglycdn.com/files/f716882a-483c-4e46-aada-1707709cb5e9/5007893299.pdf
    • https://3a00e800-a8eb-44ae-aafc-ae9aecab8e06.filesusr.com/ugd/1715bf_7812cc1919b4454e81319538d34b3e75.pdf?index=true
    • https://s3.amazonaws.com/garorowa/free_calendar_template_2019_with_holidays.pdf
    • https://627ea4a7-3f28-4bf3-8c99-6a9da7dacf48.filesusr.com/ugd/1970e2_f07d7592373342d098c79ab2e13589ee.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6ce82be4-c632-4274-ad15-bdbf39bfc7e7/buy_cessna_parts_direct.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_ea690fe5acb54264a56de364d76e6a21.pdf?index=true
    • https://486bfeb6-87d8-40a3-812f-3449909c9139.filesusr.com/ugd/81b904_3b05106ababb456d93f44e486c1aceab.pdf?index=true
    • https://s3.amazonaws.com/bomupi/audi_car_photos_wallpaper.pdf
    • https://uploads.strikinglycdn.com/files/f88816c1-991f-40be-912b-6afa9c76f703/olympus_om-1_battery_check.pdf
    • https://411be8f8-4ba1-40b5-9edf-cc4a2c3d5ecc.filesusr.com/ugd/a86d68_d12153853f7142f49778f25a45360b42.pdf?index=true
    • https://uploads.strikinglycdn.com/files/88b0e068-9a5c-49fd-9e22-cb1d9829d280/why_is_my_ge_refrigerator_freezer_not_freezing.pdf
    • https://uploads.strikinglycdn.com/files/fac64502-427d-4f2d-9971-e7b5c2f0241d/83083502902.pdf
    • https://8cff2b46-3289-4d4c-b6d5-84761b4963bb.filesusr.com/ugd/c91274_465c069a8a8644308d8a51384ecf8f10.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cab29f57-2c52-49fd-941a-808179f6337d/44263156489.pdf
    • https://4541bc1c-e35c-4de3-bb44-1f53c3e1a56d.filesusr.com/ugd/68f66e_0fa32c8d42f04387ab766a28e23f894e.pdf?index=true
    • https://s3.amazonaws.com/vinejivunitego/excel_vba_change_message_box_title.pdf
    • https://b2fc43c4-60ab-4dc1-a1c8-84833fda4e2a.filesusr.com/ugd/37321e_8114c4ba87c141e1848b91f6165dbfa2.pdf?index=true
    • https://s3.amazonaws.com/xijalovelokolep/gejoramekukotenigonik.pdf
    • https://4bd9ed84-c80b-4837-bb2f-b1353ebfd8aa.filesusr.com/ugd/5a1791_66a0554446524731a4af599cdbaf70eb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012676.bin
c67c3a6ad0640375b0f858d0fdaf992bc2c701662c298356e7a24b8bb0f5416d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12676 5080 bytes
font_01_sfnt_off000137b8.bin
7a509db7cf53ff864ae80106ef5fbc4b00aabe37ad7e9ea7449f92872fd71b77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137B8 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.