Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e995b2b44c0171b…

MALICIOUS

PDF

85.4 KB Created: 2021-03-24 00:42:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d04b7ddad2f693912f68fbd9ff09ed1 SHA-1: d7d2cfa5ac0a115897cf4a9745778e692d85b8f2 SHA-256: 4e995b2b44c0171b85e7315f8b8a2514945cbb4049f11c42355e7644ecc08ce8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are part of a link farm, suggesting a phishing or scam attempt. The document body, though partially corrupted, includes a title related to firearms, which may be used as a lure. The presence of multiple unknown reputation URLs further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+zero+ar15+at+50+yards
    • http://ketousa.site/inc._and_grow_richg6yve.pdf
    • http://copyrights-notices-helps.com/tobuzidox6v8zj.pdf
    • http://introdom.ru/47509806169uind3.pdf
    • https://cdn.sqhk.co/vovidonob/dTidDOR/nova_launcher_setup_backup_file_download.pdf
    • https://cdn.sqhk.co/karapenakozi/iibEqja/sesumeka.pdf
    • https://cdn.sqhk.co/wobuwozavenu/D97icjc/mouse_running_across_screen_for_cats.pdf
    • http://trening-ekaterinodar.ru/biochemistry_concepts_and_connections_free7emqf.pdf
    • https://cdn.sqhk.co/ranotigu/fhcjjgd/hallmark_channel_on_amazon.pdf
    • http://fastgetme.online/ronageso223iy.pdf
    • https://cdn.sqhk.co/fudopalizew/ibjfbra/story_saver_apk_mirror.pdf
    • https://cdn.sqhk.co/dofewijoras/MhgmNjc/tomosuxavuxekexopenem.pdf
    • https://cdn.sqhk.co/demexadol/fhbiehf/space_wallpaper_for_iphone_x.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5ac9d038-517d-4536-97f6-676423289421.filesusr.com/ugd/b444d4_f6432141e9c94605bf87d5629e7d6861.pdf?index=true
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_a7c197174f984a899ef38b78b731f3a0.pdf?index=true
    • https://65de77fc-0341-4fd2-89b2-cd6b005a91de.filesusr.com/ugd/cf79db_ea753e62cc814b8e9b3709a030a83528.pdf?index=true
    • https://c96d0889-97fb-4213-90a4-a08ae01970e6.filesusr.com/ugd/ed32f2_06bb39a9dce4405ba1e9cb9f4559d85d.pdf?index=true
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_460fed124be2430088914225b594b5d7.pdf?index=true
    • https://7a69a04d-b0b3-478e-a927-895b34d3dd44.filesusr.com/ugd/159848_4d830b4603ee479f8c3a29ef0105842c.pdf?index=true
    • https://d2ea4bfc-f92a-4379-acf2-d9b69981ddb7.filesusr.com/ugd/739437_4af06d1903284e0b864d137dbb8bb99e.pdf?index=true
    • https://ebed6276-6372-4ddf-adad-9a0fa504b99f.filesusr.com/ugd/805d2a_7e2ec512997945ffa26e8d1a4c013761.pdf?index=true
    • https://0298dc5a-7924-4276-8279-06452a5288da.filesusr.com/ugd/b30cf0_cf3afb2946754317a9d9210304156dff.pdf?index=true
    • https://506dbbd1-d4b3-44b1-a4c9-6b5d0cab6a23.filesusr.com/ugd/c75f60_ecd53858e2ed4eb688187ea12314a9ae.pdf?index=true
    • https://c4e42e93-254c-4ba8-b495-737f84002742.filesusr.com/ugd/ddb60a_693fd3e4189943f48e36c8a5a399d65d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001104f.bin
c68140c3536bbc3de1a7608e472bd3ddad1927286cb9dfae70c5934be0fdc710		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1104F 5312 bytes
font_01_sfnt_off0001228e.bin
5370063e6d22f9dc530eb16e243f7d672dd8fcd90bd9f6fb5d0889cb72b8c309		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1228E 10952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.