Malicious PDF — malware analysis report

Static analysis result for SHA-256 5107567df5311611…

MALICIOUS

PDF

89.0 KB Created: 2021-03-21 05:11:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b8bde4555e46afb5e500617fa947b60 SHA-1: 42d0d865880ecd98ac2d15594fe7d4712bf845c3 SHA-256: 5107567df53116119390ea3fe5cd3aa107b2d38ae57e1e6c5dc7dbcbd0b139cd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, forming a link farm, and is flagged by ML classifiers and ClamAV as malicious. The primary URL, 'https://xezojetit.ru/strik?utm_term=phonics+screening+test+year+1+sample', suggests a phishing lure related to educational materials. While no scripts were explicitly extracted, the PDF structure and extensive external linking indicate an attempt to redirect users to potentially malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=phonics+screening+test+year+1+sample
    • https://sagabeju.weebly.com/uploads/1/3/4/6/134659190/wefomofujomob_vopuw_zovovakix_nukozomapisumon.pdf
    • https://nusisudarebo.weebly.com/uploads/1/3/4/3/134349377/wigogupibudusax_bakebarejatava_zidososem.pdf
    • http://libosuwobeg.iblogger.org/stages_of_grief_by_kubler_ross.pdf
    • http://sunakijabe.sportsontheweb.net/82329425154.pdf
    • https://xafijedalab.weebly.com/uploads/1/3/0/7/130775792/nejasok-kefojoluk-jemepiziwadot.pdf
    • https://daxekofaji.weebly.com/uploads/1/3/1/6/131606395/renija_basinemobujaj_sabutuweger.pdf
    • https://foxaxefaga.weebly.com/uploads/1/3/1/3/131398491/zaxawewuzem.pdf
    • http://koparikamoze.scienceontheweb.net/61345026417.pdf
    • http://pajelonagij.iblogger.org/how_to_do_forex_fundamental_analysis.pdf
    • https://zulezinema.weebly.com/uploads/1/3/0/7/130776370/6153560.pdf
    • https://wumudirega.weebly.com/uploads/1/3/4/5/134515906/22497a.pdf
    • http://memiwuv.mygamesonline.org/xonuz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wagamaxoja.rf.gd/tiwesakosegezisepeganowif.pdf
    • http://jusopetikikij.onlinewebshop.net/retire_early_with_real_estate_chad_carson.pdf
    • https://s3.amazonaws.com/wexoteluwag/64459198012.pdf
    • https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_b8a466a189d24cc2869aeebe69c54f72.pdf?index=true
    • https://s3.amazonaws.com/rurovikejigibu/vitepogikexatepidis.pdf
    • https://7d6e376e-1ee3-4df5-88c1-8d1511d419f8.filesusr.com/ugd/7dd30d_d4cea5b057314fba97dab27536f25b84.pdf?index=true
    • https://e5b7f393-9b83-42c5-a877-5b85c0c772c8.filesusr.com/ugd/77b42d_5567aab6207c42d1a047ced51ebe854d.pdf?index=true
    • https://s3.amazonaws.com/mefonevimimix/microsoft_powerpoint_fishbone_template.pdf
    • https://b5d51143-f34a-4a4f-9265-6917490cb775.filesusr.com/ugd/9f69bd_d079035ee19d46aeb585b1ff788a6c86.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e05.bin
6b3c7bd0057bfc2ebe5034223f60b0fb30a8c4582f4a8f0b4a8b677a357c9f81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E05 5500 bytes
font_01_sfnt_off000130a0.bin
0e453feabf2187584ddaaeeb24e26d325184f02f48e86f531c9c499f7de894a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130A0 11272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.