Malicious PDF — malware analysis report

Static analysis result for SHA-256 45b93275ccb8bd92…

MALICIOUS

PDF

71.7 KB Created: 2021-06-14 01:02:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64866d2c117e8396b4e6e9a18415a8f0 SHA-1: 7364981bd5f99d1a52b709240b3b20d8d161297e SHA-256: 45b93275ccb8bd92d51fb2b2fefc08cfd9c04a364334136caca7239d480f72b7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a large number of external links, many of which are likely part of a link farm designed to direct users to malicious sites, such as the one at 'https://inwebjor.ru/pbw?utm_term=moviebox+pro+for+smart+tv'. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDF documents from web content, potentially for phishing lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/pbw?utm_term=moviebox+pro+for+smart+tv
    • https://cdn-cms.f-static.net/uploads/4484610/normal_603b37b308113.pdf
    • https://wonulabanasilod.weebly.com/uploads/1/3/1/4/131482851/9953125.pdf
    • https://static.s123-cdn-static.com/uploads/4486565/normal_5fe0579d5939e.pdf
    • https://luwidejike.weebly.com/uploads/1/3/4/8/134881341/e3819c0.pdf
    • https://cdn-cms.f-static.net/uploads/4495409/normal_6051262cb1e45.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pitavumiza.pbworks.com/w/file/fetch/144894519/85115836438.pdf
    • http://xesimisejek.pbworks.com/f/hill_climb_racing_flash.pdf
    • https://uploads.strikinglycdn.com/files/1d14e65e-2de2-4f3b-a0ed-036bb878c822/how_to_be_miserable_40_strategies_you_already_use.pdf
    • https://uploads.strikinglycdn.com/files/bdf49bf7-5e4e-4806-9ddf-b27dc44a41e6/google_account_manager_oreo_8.0_8.1_apk.pdf
    • https://uploads.strikinglycdn.com/files/22b5df0a-66c9-4814-868a-049422d9e8d3/48746913798.pdf
    • https://uploads.strikinglycdn.com/files/484f2b03-d157-400e-8f94-e119a6cfc6f5/71472651139.pdf
    • https://uploads.strikinglycdn.com/files/5f73ee2e-ac84-4ece-9163-e96ccf3274f5/polaroid_3000_speed_film.pdf
    • http://sejiliki.pbworks.com/f/zolubuzeme.pdf
    • https://uploads.strikinglycdn.com/files/ee614230-b9df-4a84-a057-eca19bdab558/ozymandias_poem_annotated_powerpoint.pdf
    • https://uploads.strikinglycdn.com/files/75362195-06cb-4506-85ec-bb84a8eb79c7/febeborajexupolejunurezu.pdf
    • https://uploads.strikinglycdn.com/files/9a1d7a9a-77ce-413d-abf7-6296df02f222/gadofudi.pdf
    • http://kigemulu.pbworks.com/w/file/fetch/144566235/kaun_tujhe_female_version_song_download_320kbps.pdf
    • http://ganosidil.pbworks.com/f/tosonakalejivivexizatuxe.pdf
    • https://uploads.strikinglycdn.com/files/5014a78d-0d7a-4955-a912-ea62a71cf103/71638930354.pdf
    • https://uploads.strikinglycdn.com/files/db5e3e76-209f-4e05-b998-31c6522070ee/eventide_h9_max_manual.pdf
    • http://zufumegi.pbworks.com/w/file/fetch/144423225/what_are_gradable_and_non_gradable_adjectives.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc7b.bin
8d86ad3ce13eb41dfbf74461aa965d06620c97669e5dddb9891ffe1c69bc6c9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC7B 5288 bytes
font_01_sfnt_off0000ee71.bin
49927f12b1ba99450129bc3443d0f6d790d538a5208edd26170bd45b740b5663		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE71 10272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.