Malicious PDF — malware analysis report

Static analysis result for SHA-256 54a805dd8f55ef35…

MALICIOUS

PDF

103.1 KB Created: 2021-04-16 15:51:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9d4566150b5321e1762ffdfbbb1b768 SHA-1: bc57733960214a45b00307eb295a0ac40fb099a3 SHA-256: 54a805dd8f55ef35a5bb037cded10c858bb8cc6974a4fafd1c561db0ee976521
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a "PDF_SEO_LINK_FARM". One of the primary external links, https://vilenefex.ru/strik?utm_term=how+to+produce+rap+beats, is flagged as suspicious and likely leads to a phishing or malware distribution site. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+produce+rap+beats
    • https://favasonod.weebly.com/uploads/1/3/2/7/132740296/995d7b0e814.pdf
    • https://kulilopoxi.weebly.com/uploads/1/3/4/3/134375859/sinivilo.pdf
    • https://tujobofawoti.weebly.com/uploads/1/3/2/6/132695409/lafogevemofafu.pdf
    • https://vexepediv.weebly.com/uploads/1/3/4/6/134668456/7536586.pdf
    • https://wowujisalot.weebly.com/uploads/1/3/4/3/134349860/milobawivoriju-wurijalokitun.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4d2a2e94-c296-4044-b6ad-260f24000c17/pedag.pdf
    • https://uploads.strikinglycdn.com/files/f1d21347-596e-4750-9f1a-11807e40613e/acer_aspire_e_15_2016_specs.pdf
    • https://s3.amazonaws.com/mixanaz/zisivi.pdf
    • https://s3.amazonaws.com/xukirizugukugi/22876068573.pdf
    • https://s3.amazonaws.com/rimepusox/performance_appraisal_format_for_hr_executive.pdf
    • https://uploads.strikinglycdn.com/files/19a4bb6e-088e-49d7-ab66-9dadbaafeb09/hp_z420_workstation_specs.pdf
    • https://uploads.strikinglycdn.com/files/bf01bdd7-7f85-46b0-ac8e-99bc85b2e3bd/58261687723.pdf
    • https://82e7f058-9c2a-4352-8e65-a162d98cde11.filesusr.com/ugd/ba3c76_8b1111640d7c42889d11e32ad9e9bb53.pdf?index=true
    • https://s3.amazonaws.com/lulelepese/le_petit_nicolas_film_2_streaming_vf.pdf
    • https://s3.amazonaws.com/petuzutemixuvod/a_p_aging_report_sap.pdf
    • https://s3.amazonaws.com/zijivevip/98836629706.pdf
    • https://s3.amazonaws.com/nemafu/pawituken.pdf
    • https://uploads.strikinglycdn.com/files/28efc6e9-4481-4caa-be1b-d31a6e768510/44935053660.pdf
    • https://uploads.strikinglycdn.com/files/25c1e299-a50c-431d-ad4e-a0b8288e6d4a/which_book_is_best_for_political_science_upsc.pdf
    • https://uploads.strikinglycdn.com/files/b5020299-e974-466c-8e37-863a361d7222/honeywell_r7284_setup.pdf
    • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_9c0af8ba5e744f0aab57ec8d524c8144.pdf?index=true
    • https://1f9cfe0c-d655-4514-b58a-75380282e405.filesusr.com/ugd/d31784_809d58be70374406b268e9879b3665d9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4ce3ad0e-37ad-49ef-bcf2-f0d9f6d9b719/75971796544.pdf
    • https://s3.amazonaws.com/wamatasamegu/7125559858.pdf
    • https://b81e1767-bb0d-4562-9f98-cfef66859bb1.filesusr.com/ugd/b48b60_6e731b4e6d71421184c31236fd9b080e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/946657d5-9098-4823-b60c-1d54cbaec71f/70188764338.pdf
    • https://uploads.strikinglycdn.com/files/a7f07023-21ff-4b4d-9b1c-3eeebc5b12cc/john_deere_d100_repair_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001544a.bin
390af12eaca91b2ad5ecfc8d1ed05b284946a573d7131654a290bf794991f1d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1544A 5228 bytes
font_01_sfnt_off00016628.bin
6cd6fc21c6cf21f0af15e1bc4a681e126ce97c75dad9a819eb2138e8a098f586		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16628 11616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.