Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bd5b0917b0153d8…

MALICIOUS

PDF

86.2 KB Created: 2021-04-02 20:01:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59102df8c36bb6e05ecf91579dd46963 SHA-1: b704800edc9f62c236e33f6b46b5e9a2851aa264 SHA-256: 4bd5b0917b0153d8250fbf953149efe9fc3a4864cbbc373ffad79a88e701beb6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or SEO poisoning tactic. The primary URL, 'https://crophysi.ru/award?keyword=bread+baking+for+beginners+pdf', is presented as a search result, indicating a lure to a malicious site. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=bread+baking+for+beginners+pdf
    • https://repitosa.weebly.com/uploads/1/3/2/6/132681506/difatimaxo_pipimaziduv_lamexud.pdf
    • http://sdfsdfsdf.shaketorch.com/8527722300.pdf
    • https://pinosapop.weebly.com/uploads/1/3/4/1/134131344/7712175.pdf
    • https://sarowamirubene.weebly.com/uploads/1/3/4/7/134736793/3060176.pdf
    • https://dununatanag.weebly.com/uploads/1/3/0/7/130775655/kejojidajosujizu.pdf
    • https://voxivunesiru.weebly.com/uploads/1/3/1/4/131407918/7890716.pdf
    • https://lufavivuda.weebly.com/uploads/1/3/4/3/134340228/buxopod.pdf
    • https://tuxonojetivap.weebly.com/uploads/1/3/4/4/134437157/d5e7053dbdba8c.pdf
    • http://rumukisizupew.iblogger.org/saporadadarup.pdf
    • http://talinab.iblogger.org/cambridge_international_dictionary_of_idioms.pdf
    • http://zonedelukekide.iblogger.org/decatur_il_jobs_report.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wiremeresegikon/automated_bitcoin_trading_platform_reviews.pdf
    • http://tenasupufowok.epizy.com/6482515630.pdf
    • https://s3.amazonaws.com/zulezov/whatsapp_app_for_android_2._3._6.pdf
    • https://a72a44ae-2aae-4d6a-a6c4-235301d0a62e.filesusr.com/ugd/57436b_e3adf5e8fad341dab7abb2320be8f01f.pdf?index=true
    • http://lobidirubegevil.epizy.com/99776745673.pdf
    • http://datidalumoz.rf.gd/bsc_modern_physics_notes.pdf
    • https://2d130471-2a64-48ba-87cf-8f1e86c6acad.filesusr.com/ugd/9c43ec_0152e25cd8874969a479c937d453b12f.pdf?index=true
    • http://rorewevamub.epizy.com/wedidipokojewada.pdf
    • https://s3.amazonaws.com/bezutu/lazarillo_de_tormes_resumen_tratado_4_y_5.pdf
    • http://bojisunizinop.epizy.com/61395382738.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010932.bin
9eb65f35f590c645caf644af342134a9c43ef5f5ce861d6d864b5531dedbac72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10932 5428 bytes
font_01_sfnt_off00011bb3.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BB3 1800 bytes
font_02_sfnt_off00012441.bin
ddac23725a0b4ab037a80a830cadadfef4f3b7af26cc1b69a69a3d2dbecc0a68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12441 11588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.