Malicious PDF — malware analysis report

Static analysis result for SHA-256 4817660583b26d10…

MALICIOUS

PDF

75.8 KB Created: 2021-03-06 23:45:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a3f64df311cff41c5a90b8b810279ba SHA-1: 7a8a3c15391a78f7ac68b666659b73afecae2757 SHA-256: 4817660583b26d103e6a3a49ed3039f19c020b56185046a19bc2bca855cd38b2
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The 'SE_BROWSER_INSTALL_LURE' heuristic suggests the document attempts to trick the user into installing a browser extension or update. The presence of numerous external links, including one to 'jumiwimov.ru', further supports a phishing or malware distribution scheme. No scripts were extracted, but the overall structure and heuristics point to a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=how+to+stop+netflix+playing+trailers+automatically
    • https://cdn-cms.f-static.net/uploads/4384154/normal_6026b0cc9e2cc.pdf
    • https://cdn.sqhk.co/vubiwete/2422icv/gnu_radio_fm_receiver_download.pdf
    • https://static.s123-cdn-static.com/uploads/4489609/normal_5ff4822986428.pdf
    • https://static.s123-cdn-static.com/uploads/4479235/normal_5fdcb8169491a.pdf
    • https://cdn-cms.f-static.net/uploads/4425506/normal_60279d0d3d419.pdf
    • https://static.s123-cdn-static.com/uploads/4428052/normal_6000b289a300e.pdf
    • https://cdn-cms.f-static.net/uploads/4481994/normal_602e7528b0fdc.pdf
    • https://static.s123-cdn-static.com/uploads/4487897/normal_5feffc4609d08.pdf
    • https://cdn-cms.f-static.net/uploads/4416326/normal_603aa043ac887.pdf
    • https://cdn.sqhk.co/dopuzodopuvu/ejfUgf6/wuwaloxejanox.pdf
    • https://static.s123-cdn-static.com/uploads/4412159/normal_5ff4fc2a2943b.pdf
    • https://static.s123-cdn-static.com/uploads/4427781/normal_6001da6db3870.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fewifuwu/groupe_bpce_annual_report_2016.pdf
    • https://s3.amazonaws.com/kakekojezutok/gone_with_the_wind_plantation_house.pdf
    • https://c18d7360-3707-4bf1-9d6f-52ba7510fa17.filesusr.com/ugd/76cb06_b49020e5af9e4f07a227f146625b7296.pdf?index=true
    • https://s3.amazonaws.com/sejakopa/72352747854.pdf
    • https://ded05c8b-f0d8-42bc-a64b-daa0b63394ca.filesusr.com/ugd/99afdc_bbf9ecbc9a9644bfa6f136ef00f41e56.pdf?index=true
    • https://s3.amazonaws.com/pekatikisuruki/nuwirixejomamiwadojiku.pdf
    • https://033a7475-7ccb-45c1-8f1e-38fd320d48d0.filesusr.com/ugd/03a576_ac542e3f3d854db0bdddcb13d87a5d5b.pdf?index=true
    • https://709e7e89-b264-4d73-b757-064736ed86f1.filesusr.com/ugd/f523c3_6716f0fdc23d44759f251884942ff1d4.pdf?index=true
    • https://1c985592-4fe2-425a-b8d2-7dc24782370c.filesusr.com/ugd/a13bc2_c88f54396ebe401c89bd52996b26bb07.pdf?index=true
    • https://6363ce23-9394-4102-a476-7be320345719.filesusr.com/ugd/7c41c1_6c23fee983f7460e8b7343ff84e94aeb.pdf?index=true
    • https://s3.amazonaws.com/pizexopenaxu/application_for_sick_leave_format.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ead4.bin
4293f5bae06bffc95a9af1115c3b3a22bda2cb05938ae7f36d4456252de45574		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAD4 5560 bytes
font_01_sfnt_off0000fdc8.bin
986dec6d8503b659c45de671a43a2ab0d6440817916bd66586bb204ff8bec009		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDC8 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.