Malicious PDF — malware analysis report

Static analysis result for SHA-256 5472ff6135f69055…

MALICIOUS

PDF

84.8 KB Created: 2021-02-11 18:02:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5697dfcc6c8649c78bea46a7e3d770f0 SHA-1: 2710335f2c81e8c643d351c61435164da0d188bf SHA-256: 5472ff6135f69055c720000b3d2d798f152924fe86a01d9d3ce8c03d48367a95
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL suggesting a lure related to 'basketball legends unblocked 6969'. Heuristics indicate a large number of external links, many of which are likely part of a link farm designed to distribute malware. ClamAV detection and ML classification confirm the malicious nature of the PDF, strongly suggesting it's used to redirect users to malicious sites for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=basketball+legends+unblocked+6969
    • http://usecabinets.xyz/binasepetodoxowonahzxa3.pdf
    • https://denudosija.weebly.com/uploads/1/3/4/0/134017010/4506431.pdf
    • http://tupakewufitid.iblogger.org/ditty_bag_girl_guides.pdf
    • https://poximixej.weebly.com/uploads/1/3/0/7/130776069/e0f995c3de.pdf
    • https://mubuwevuli.weebly.com/uploads/1/3/4/5/134528176/jitofu.pdf
    • http://servicesforsupport.com/kootek_42_pieces_cake_decorating_kit_at_amazon53nft.pdf
    • https://gisoroweri.weebly.com/uploads/1/3/4/8/134893792/nesav_wigimi.pdf
    • http://arboozfilm.com/finatawudozuj79p4.pdf
    • http://tehnikator.ru/zky_et_le_serpent_python_tapuscrittfm59.pdf
    • https://vakitisize.weebly.com/uploads/1/3/4/0/134017930/gajaduwu.pdf
    • https://xisofufewazexi.weebly.com/uploads/1/3/0/7/130776718/gedatubaso_xosimuwejesa_zenutin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gokojap.epizy.com/genovaxoje.pdf
    • https://s3.amazonaws.com/bupaxomu/78278650683.pdf
    • http://bogurivesinoni.rf.gd/3711278389.pdf
    • https://s3.amazonaws.com/kaxukok/95630466693.pdf
    • https://s3.amazonaws.com/xokebore/file_extension_dbf_free.pdf
    • https://s3.amazonaws.com/kelukakeb/fondant_baby_shoe_template_free.pdf
    • https://s3.amazonaws.com/miwolezedubujoz/tamil_calendar_for_pc.pdf
    • https://s3.amazonaws.com/gogonof/product_distributor_agreement_template.pdf
    • http://ralivapoked.epizy.com/acer_aspire_3_a315-_41_driver.pdf
    • https://s3.amazonaws.com/rakabexozu/android_automatic_voice_response.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f90f.bin
6a523816bf188e2dca98eec91e8b55912340383d61a476dcd126870d45a9694f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF90F 5576 bytes
font_01_sfnt_off00010c13.bin
c6314dd97ede6347fea07dc89ce33e97f6905b04d1df8aa53f1b308eb87ed582		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C13 10584 bytes
font_02_sfnt_off00013056.bin
5338b60dac2ddcc9fbf81734882903060897ff8c18563aad6864a581beec55c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13056 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.