Malicious PDF — malware analysis report

Static analysis result for SHA-256 55750d948551bdc7…

MALICIOUS

PDF

77.9 KB Created: 2021-06-06 16:03:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5806f5e1290eee20ddfefab36649e30e SHA-1: b838d2d83b24e435b280cfe03571d218ab5c0f4e SHA-256: 55750d948551bdc7e1a7748c1dcb06b0b1428ddc83fdded1c1f4316c02f0c163
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including a critical finding for a PDF link farm and ClamAV detection as a phishing trojan. The document contains numerous external links, with the primary malicious URL being https://krisoc.ru/pbw. The presence of many external links suggests an attempt to direct users to potentially malicious or phishing websites, aligning with the characteristics of a phishing attack delivered via attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/pbw?utm_term=how+to+make+sheets+of+ice
    • https://vavivaso.weebly.com/uploads/1/3/0/8/130873957/sivikupudovaginazuxu.pdf
    • https://mokekisinuru.weebly.com/uploads/1/3/4/3/134366850/zularuf_kolexoriraro.pdf
    • https://ruwizugaxuluba.weebly.com/uploads/1/3/4/7/134759804/datadumuvazi.pdf
    • https://pewewikivu.weebly.com/uploads/1/3/5/3/135302390/vufetumogazep.pdf
    • https://jakuxibakamu.weebly.com/uploads/1/3/1/4/131407414/57a34ef4fa6e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nilanom.pbworks.com/f/87019618745.pdf
    • https://uploads.strikinglycdn.com/files/e0de5e25-e06d-406a-9b9d-479240e428c2/8721241049.pdf
    • https://uploads.strikinglycdn.com/files/d0e89cac-a1ae-462d-95a5-5aa4cbfe8614/how_do_i_get_an_api_certification.pdf
    • https://uploads.strikinglycdn.com/files/ad533061-9d7d-489b-adfe-83817a29b4f6/vuwabuketikamoko.pdf
    • https://uploads.strikinglycdn.com/files/060878f4-c1c3-4bcf-9b6d-cc4b7ad9feec/how_to_do_factoring_on_ti-84_plus.pdf
    • http://tukufidanega.pbworks.com/w/file/fetch/144426099/madras_university_arrear_exam_hall_ticket_april_2021.pdf
    • http://sekodegaxex.pbworks.com/w/file/fetch/144652329/homeros_ilyada_ve_odysseia_zet.pdf
    • http://kopixikosibi.pbworks.com/w/file/fetch/144622683/8_ball_pool_pc_vs_mobile.pdf
    • https://uploads.strikinglycdn.com/files/947a4a66-f4c3-4919-9c66-d2fc057f9c06/manual_completo_para_tocar_guitarra.pdf
    • https://uploads.strikinglycdn.com/files/09aa5729-1820-4f21-995a-639e05a11c66/lusesenurudinexozesek.pdf
    • http://xuvabufoj.pbworks.com/w/file/fetch/144564504/40813223753.pdf
    • https://uploads.strikinglycdn.com/files/9f53a4ab-6aed-4afb-b78a-af30d61a9fb7/cisco_ip_303_checking_dns.pdf
    • https://uploads.strikinglycdn.com/files/a48f29e1-3e2f-455c-b36d-aeeb734f35cf/the_brush_stopped_spinning_on_my_dyson.pdf
    • https://uploads.strikinglycdn.com/files/f96f50b6-6c5e-403a-b4e2-5d669defd9b4/gre_quantitative_hard_questions.pdf
    • https://uploads.strikinglycdn.com/files/1615ecfe-3b6e-4077-973b-49d7a8f2a490/i_want_more_than_anything_meaning_in_urdu.pdf
    • https://uploads.strikinglycdn.com/files/d368ec42-f401-4096-99cc-9ae1b9cf3260/how_to_write_a_central_idea_pyp.pdf
    • http://tereburokofe.pbworks.com/f/56246075750.pdf
    • http://feselikebapu.pbworks.com/f/assistir_online_te_amarei_para_sempre_filme_completo_dublado.pdf
    • https://uploads.strikinglycdn.com/files/fae6ea3b-44af-463f-89bd-29b874aa973e/wing_chun_training_dummy.pdf
    • https://uploads.strikinglycdn.com/files/8a766b88-9698-403e-bb20-1b85ce083bcb/amcor_portable_air_conditioner_how_to_drain_water.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1cb.bin
00fe2a9d470af8aa88b3f1b5484a87324b7feeacfee9cf9440f4f2f35ca26dce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1CB 5112 bytes
font_01_sfnt_off0001031d.bin
0f2e99e6633d2d7f4b73de8099ce0e24b834933905b3b613a59faa17b88b76f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1031D 11636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.