Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d005567bf0a0fe5…

MALICIOUS

PDF

75.5 KB Created: 2021-03-07 14:48:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0ff50000d5c1cf9f1aa361040d9333d SHA-1: d6f5c3c5b65ecb9806981abf5de173ecb16a8ed2 SHA-256: 4d005567bf0a0fe5140b77ec56595b74b58c5129c7c0ef763e70754ad23adc33
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to SEO-optimized PDF documents, a technique often used to mask malicious content. The primary malicious URL identified is jumiwimov.ru, which is likely used to host a phishing page or a second-stage payload. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=powermate+generator+5000+watt+no+power
    • https://static.s123-cdn-static.com/uploads/4416318/normal_6003257a9808c.pdf
    • https://cdn-cms.f-static.net/uploads/4482854/normal_5fd2881658885.pdf
    • https://static.s123-cdn-static.com/uploads/4373527/normal_5fdf30de9a559.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/727e6e0e-efc0-4269-a2b9-83e74adf039d/25870450264.pdf
    • https://uploads.strikinglycdn.com/files/175ebcd9-b6ea-4a67-99eb-4a01426cee02/farberware_air_fryer_toaster_oven_fried_chicken.pdf
    • https://uploads.strikinglycdn.com/files/64d0c3ba-c2ba-4906-a494-ffad69d7337b/citizen_eco_drive_atomic_watch_instructions.pdf
    • https://uploads.strikinglycdn.com/files/253f0118-1ea3-4b22-9577-c7e612e7884c/66006449007.pdf
    • http://betiravel.epizy.com/8949666098.pdf
    • http://kemubozureta.epizy.com/albury_wodonga_television_guide.pdf
    • https://s3.amazonaws.com/kifutizijebuj/noxotajafutudupodigoril.pdf
    • https://s3.amazonaws.com/likadojivivofu/asphalt_6_adrenaline_mod_apk_revdl.pdf
    • https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_dd51918f5dd04e1ba13098df8256c418.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7eb49b53-0f90-4940-89a9-dc4bfca28753/mary_poppins_musical_soundtrack_download.pdf
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_1f57decabe994300bbdd69d6ffe1ed6d.pdf?index=true
    • http://zanukabijegur.rf.gd/xutitapozi.pdf
    • https://s3.amazonaws.com/bufexa/blind_carbon_copy_email_template.pdf
    • http://karajifaderiwow.epizy.com/guidelines_for_healthcare_workers_exposed_to_tb.pdf
    • https://uploads.strikinglycdn.com/files/40f72d71-e378-435b-b40c-1378a04df837/where_to_donate_blood_besides_red_cross.pdf
    • https://9e269ae7-c3cf-4b9f-bde2-1d9be064b7bf.filesusr.com/ugd/139869_1ec9ec2e00644f739c3d577e73170b37.pdf?index=true
    • https://uploads.strikinglycdn.com/files/db2acc55-28df-4a89-82a4-a34f878004f1/canon_650d_battery_life.pdf
    • https://uploads.strikinglycdn.com/files/da34203a-aac1-4952-97a4-608bea03177d/waste_equals_food_definition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e99f.bin
ed53ff9ca79be3d98d5a8f52a29afbae6d2f2acb582c4f4c765038c0f10bfc9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE99F 5288 bytes
font_01_sfnt_off0000fb9b.bin
655480442bbb50b19d5515dac87c9f8defc62d6e3c99f58634fcf809a0d10f3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB9B 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.