Malicious PDF — malware analysis report

Static analysis result for SHA-256 47052b82e96b6871…

MALICIOUS

PDF

91.3 KB Created: 2021-04-16 23:41:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04488317470af963d335be22eb1df8c7 SHA-1: 7dc8c4d9c73994d53fab438b320d50848463fb6f SHA-256: 47052b82e96b6871f22dea98558011d328d4f41e019d35fc00c141707e4044af
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are hosted on disposable domains, suggesting a link farm designed to distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary URL, 'https://pelibifir.ru/strik?utm_term=upgrading+and+repairing+pcs+book+pdf', appears to be a lure for users searching for PC repair information, likely leading to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=upgrading+and+repairing+pcs+book+pdf
    • https://cdn-cms.f-static.net/uploads/4476758/normal_5fdc794361db6.pdf
    • https://cdn.sqhk.co/bevoroxur/mheUgco/on_my_block_cast_ages_spooky.pdf
    • https://rugabefek.weebly.com/uploads/1/3/0/7/130775918/kutixoludoniwiwiju.pdf
    • https://tivurenufetoza.weebly.com/uploads/1/3/4/2/134235987/tipidipanagifaxuru.pdf
    • https://tadizape.weebly.com/uploads/1/3/1/6/131637484/6859737.pdf
    • https://jimepozuzaz.weebly.com/uploads/1/3/5/3/135350414/06586cd5b.pdf
    • https://cdn.sqhk.co/gawagunikuw/8s4bfkk/jawesanadubuw.pdf
    • https://najutumivuzobo.weebly.com/uploads/1/3/4/4/134473994/1551489.pdf
    • https://wesobopaforok.weebly.com/uploads/1/3/5/3/135311180/3778946.pdf
    • https://cdn.sqhk.co/bozadukopufu/V1gkhaq/64080942659.pdf
    • https://static.s123-cdn-static.com/uploads/4403565/normal_5fc628e5f1f6b.pdf
    • https://cdn.sqhk.co/fokivetezabu/gdjg4jc/6309589305.pdf
    • https://static.s123-cdn-static.com/uploads/4477156/normal_5fe5693d4ba65.pdf
    • https://mogomanazeveka.weebly.com/uploads/1/3/0/9/130969503/ripasomon.pdf
    • https://likosevatifipol.weebly.com/uploads/1/3/4/5/134584064/lanikutu.pdf
    • https://cdn-cms.f-static.net/uploads/4413702/normal_6024a3bd07aeb.pdf
    • https://mawuredover.weebly.com/uploads/1/3/5/9/135957038/ffb719dd1c.pdf
    • https://cdn.sqhk.co/potebuso/hdhjjdi/bean_full_movie_480p.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e44de090-c64a-4a0f-b555-2784aa0ac37b.filesusr.com/ugd/41d583_5494e01ae1d846e396f5abe7c38b34b3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/81dcb052-1448-4502-95c5-314f34436b9d/progressive_pre_employment_drug_test.pdf
    • https://uploads.strikinglycdn.com/files/0249f919-0629-4444-8db9-764d13ab2a13/civics_today_textbook_chapter_15.pdf
    • https://f6b99bba-f064-431f-ab68-6eacb91b2703.filesusr.com/ugd/35e1ce_2dfeda52a94c44a6a8830651a2b41e54.pdf?index=true
    • https://3633ae4e-9acc-45df-885e-1bfa1481cb44.filesusr.com/ugd/e73054_8c067a204eb244a792ceedf6d6368339.pdf?index=true
    • https://uploads.strikinglycdn.com/files/649db303-2abe-41f8-a02e-73451c808562/leninuwavora.pdf
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_8f5b2dcb3b444be38107cac13f19bd8a.pdf?index=true
    • https://36c7e617-1221-4173-b726-d5bce2878801.filesusr.com/ugd/610d21_b3a9f36f520b42cdb7b2ac197cc58627.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012878.bin
9f4c1093420020a1e9c3cc9ac3df89adfc4ee7e45c435d21f189f757a809553c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12878 5488 bytes
font_01_sfnt_off00013b32.bin
cad2670d6b7c2aa7c5c5753cf4d9520990b4ce3b26105b8c053ba11200a7410d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B32 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.