Malicious PDF — malware analysis report

Static analysis result for SHA-256 5572bd7b278a6ec3…

MALICIOUS

PDF

75.7 KB Created: 2021-03-30 10:24:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76884c39b5dc9728db925460f5b39c29 SHA-1: 5f31784fc7359622f7f67d87495b9175166ed472 SHA-256: 5572bd7b278a6ec3650f2b8862387af359c2f9f0c4a940983ac430be2667472b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ML classifiers and ClamAV, flagging it as a phishing trojan. It contains numerous external links, including a link farm, and one prominent URL that appears to be a lure for search engine traffic. The document body, though heavily obfuscated, contains text related to 'Attack on titan season 4 netflix release date', suggesting a phishing or scam pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=attack+on+titan+season+4+netflix+release+date
    • https://vabeliguteziji.weebly.com/uploads/1/3/1/3/131379360/ac37dbd4.pdf
    • https://cdn.sqhk.co/zumumolebajo/5Nujaje/renezupeb.pdf
    • https://manabaxijex.weebly.com/uploads/1/3/4/6/134626004/genimamizukedaxavan.pdf
    • https://static.s123-cdn-static.com/uploads/4465557/normal_5fc7acc5273e2.pdf
    • https://cdn.sqhk.co/vilubofi/njcM7zb/nedaririvumobaxodivogi.pdf
    • https://static.s123-cdn-static.com/uploads/4445877/normal_5ff17df9d4ae7.pdf
    • https://cdn.sqhk.co/zovitamojim/eOjfWo2/thick_as_thieves_kingdom_come_deliverance_woyzeck.pdf
    • https://cdn.sqhk.co/rigizisojix/77hbgg7/89094852742.pdf
    • https://cdn.sqhk.co/puzokopu/jXbidhb/my_smart_blinds_solar_panel.pdf
    • https://cdn.sqhk.co/baziwuwe/a5OLFEG/crazy_pixel_warfare_3.pdf
    • https://cdn-cms.f-static.net/uploads/4366622/normal_604e337367fde.pdf
    • https://cdn.sqhk.co/legikowe/yZTamha/47716052381.pdf
    • https://cdn.sqhk.co/dederubap/6AWnotw/firorudevufaroma.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f00bf59d-d01a-437b-ab30-987f0ac2c52a/analog_electronics_course_objectives_and_outcomes.pdf
    • https://uploads.strikinglycdn.com/files/2a207e27-6904-49c3-bd3a-8c1469a7ac6c/metal_gear_solid_v_the_phantom_pain_guide.pdf
    • https://uploads.strikinglycdn.com/files/5d1bb982-82e7-42d8-89e7-662ac5f13f84/is_tascam_a_good_brand.pdf
    • https://uploads.strikinglycdn.com/files/d412f554-c568-4131-958d-ba10bc387be0/where_can_you_watch_the_twilight_saga_for_free.pdf
    • https://uploads.strikinglycdn.com/files/005395d0-76fb-459b-bc2f-66215e81d9f0/80379960663.pdf
    • https://uploads.strikinglycdn.com/files/b2d63a34-3c6d-485a-93c9-9fbc3d692f2d/hp_probook_6550b_battery_plugged_in_not_charging.pdf
    • https://uploads.strikinglycdn.com/files/d1469755-458f-415c-978b-4359c75cdbed/34293282643.pdf
    • https://uploads.strikinglycdn.com/files/74b09b94-81ba-4f87-b533-abbc06b44991/baixar_internet_explorer_9_download_gratis.pdf
    • https://uploads.strikinglycdn.com/files/e778f736-efc6-432d-bd53-8d2ea1ba7ba3/48799400796.pdf
    • https://uploads.strikinglycdn.com/files/e8459560-1ff0-445d-9363-93afdcb52b11/firehouse_subs_calories_hook__ladder.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8e6.bin
d5b1f738a8938fc2309162f62baa5cf5e48ad836f319cdf427e5ed6c831317db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8E6 5224 bytes
font_01_sfnt_off0000fac9.bin
ccc8c2257396241556066202c4b882dd0e20700aae812635e29fc4d702ba4573		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAC9 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.