Malicious PDF — malware analysis report

Static analysis result for SHA-256 51add0facaba81f5…

MALICIOUS

PDF

77.4 KB Created: 2021-03-18 08:58:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a7ea0e9011581b4f3273d5e3e252bb6 SHA-1: 784339fb871aa03d41cb4ca5a88706dc92addf96 SHA-256: 51add0facaba81f51dbf94d4708ce81fc528ebc2c8d9c54d3dda4a5c7dd51728
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or link farm attack. It contains numerous external links, with the primary ones pointing to domains like xezojetit.ru and mypressonline.com, likely serving as lures for malicious content or further phishing attempts. The document body, though heavily obfuscated, suggests a theme related to IELTS academic writing samples, which is used to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/aws?utm_term=ielts+academic+writing+samples+pdf
    • http://lumogodasekepi.mypressonline.com/mechanical_engineer_job_in_australia.pdf
    • https://cdn.sqhk.co/pugirunosamo/fjNoicc/today_show_shop_toys.pdf
    • https://cdn.sqhk.co/gisatajofo/jiq2dgj/free_music_websites_to_listen_to_music.pdf
    • https://cdn-cms.f-static.net/uploads/4386828/normal_5fe6b6262a7b0.pdf
    • https://static.s123-cdn-static.com/uploads/4443799/normal_5fcc45688c27b.pdf
    • https://cdn.sqhk.co/wenejusuzixe/bjgFThb/63598143335.pdf
    • http://botefedej.sportsontheweb.net/89318236897.pdf
    • http://tofotibuwul.sportsontheweb.net/contract_law_principles_cases_and_legislation.pdf
    • https://cdn.sqhk.co/nuvexajamu/ikGiZha/guidebook_definition_and_examples_of_hyperbole.pdf
    • https://cdn-cms.f-static.net/uploads/4470678/normal_5fdb0e0e195b6.pdf
    • http://xepelewatelaziv.getenjoyment.net/87241972583.pdf
    • https://cdn.sqhk.co/pilupenemima/ODmjcmg/neighbors_game_walkthrough.pdf
    • http://foramodosug.mygamesonline.org/aptitude_test_free_download.pdf
    • https://cdn.sqhk.co/kekotenonaxu/qPIggRi/63491589946.pdf
    • http://gedatidigog.sportsontheweb.net/how_to_always_allow_adobe_flash_in_chrome.pdf
    • http://penageli.getenjoyment.net/metodologia_dela_investigacion_sampieri_capitulo_10_resumen.pdf
    • http://jawazapefaxuzit.mywebcommunity.org/abstract_nouns_crossword.pdf
    • https://cdn.sqhk.co/paparidew/qiiijGE/potbelly_sandwich_shop_southlake_mall_merrillville_in.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://486a928f-df87-4682-b39c-9199637d78f9.filesusr.com/ugd/982a49_9fd61b6bd67a4842a3fc51648f740424.pdf?index=true
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_e71e7c6c004d446da3323de2dfc41738.pdf?index=true
    • https://54570836-76ea-4100-b78f-d1ba4c3cc0d1.filesusr.com/ugd/21ac59_17f959d96bb842e2994f25f4316bedb9.pdf?index=true
    • https://09235f31-469a-4613-94fc-36d04c1f642a.filesusr.com/ugd/8b6407_be6db2bf40cc4486930c878517cc4dcb.pdf?index=true
    • https://0ca3454e-05ac-49fc-8d00-644b1af7be3c.filesusr.com/ugd/8bf3fc_4152d4a1adca41f2a62448741a137107.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f095.bin
020f270c37065f6df6f5432fe21045c23d1f22b7faafeb734b1603c92c301206		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF095 5504 bytes
font_01_sfnt_off0001034e.bin
83dc895f6987c99a9a74f46eaa4eee2f59cd2099e1c7a1b36c505e41985f98d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1034E 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.