Malicious PDF — malware analysis report

Static analysis result for SHA-256 517a05c3055f8899…

MALICIOUS

PDF

78.2 KB Created: 2021-03-25 17:08:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 737d3443de942586cb5d7298c5ed7269 SHA-1: 79584fbd0b2ae5d418742c37b7aa146b0ede1a05 SHA-256: 517a05c3055f8899790e4d0015dcc8ed84419bdc1c8b9810744ce488dd64c5a0
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm designed to direct users to malicious websites. The heuristic 'PDF_SEO_LINK_FARM' and the presence of numerous URLs strongly suggest this is a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=let%2527s+golf+3+apk+full
    • https://cdn-cms.f-static.net/uploads/4493873/normal_604ee0731cfcd.pdf
    • https://cdn-cms.f-static.net/uploads/4461250/normal_5fe7fce8445b7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a2c67b61-a01d-4053-b7ad-f1487bca8054.filesusr.com/ugd/24853a_a6942888593040aa8979f6f7d6f5b576.pdf?index=true
    • https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_2fe3aec609ce4457a04fa18a303e133d.pdf?index=true
    • https://s3.amazonaws.com/fulazelof/6243973110.pdf
    • https://fb7bf4c5-056f-4058-a7d1-073478569b53.filesusr.com/ugd/d90490_2fbed22cf7164b7da660c7bd700f77eb.pdf?index=true
    • https://2791e1c6-719d-47aa-bdc5-1556df251b63.filesusr.com/ugd/7757c5_c82cabcbce9b426a9fb6e1d0a44b4eac.pdf?index=true
    • https://f867c6cd-7aae-4938-a634-6821dcb48262.filesusr.com/ugd/eb45fa_cb5cafe47a2040b39f72fddcdabb1078.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c4ed7708-b63f-40aa-9f84-455fd10e609a/epson_expression_premium_xp-820_review.pdf
    • https://92fed17e-af34-466b-b3fe-38cd9ef27699.filesusr.com/ugd/192d58_ba8a6129e86047a69a669d94e6d6c10f.pdf?index=true
    • https://94cb5446-44f7-499c-8ddd-8d9df3a2db3d.filesusr.com/ugd/9b9c26_73f831b794804092944fd988a21eb1a7.pdf?index=true
    • https://s3.amazonaws.com/woxotopapozokev/21018133824.pdf
    • https://56a7be67-7dca-40da-a973-69ad719fb73b.filesusr.com/ugd/fedf23_230e8e208857420e960e8d0e0fcff7d6.pdf?index=true
    • https://3064a0a7-8496-4b95-be1e-56094aee372f.filesusr.com/ugd/0cf4b9_4748d7f94f294eb7b1735869e1d4c82d.pdf?index=true
    • https://6d23287f-a15b-43b7-8d69-700c0e01f504.filesusr.com/ugd/185c00_b7c0cf8a194f4b3289db4c5ced36ecfa.pdf?index=true
    • https://s3.amazonaws.com/bejokazemur/dafesizipevafiga.pdf
    • https://601bead5-a720-4f65-98db-62fe2a42cb91.filesusr.com/ugd/0e52b4_b5ab91015f76407ebdf31229204a2f6b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b32e091-6b78-475e-bf8d-da6cc7526eff/replacement_glass_for_howard_miller_grandfather_clock.pdf
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_4c5fb5bda5b549f6beabb00a91df2ee3.pdf?index=true
    • https://d17f4099-ecc1-42b1-9c73-51521793457c.filesusr.com/ugd/4a2613_e26e322ec5d04795ad1bd1270ee3053f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb77.bin
5bb0f5f91a7a183a5a27c150a02625c9692c90f9bd951373c70f70668d01b6d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB77 5176 bytes
font_01_sfnt_off0000fd40.bin
9d67e18ea55242ee053e75c7ca461a0b503662384b856aa2bfe852574d1f89ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD40 16540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.