Malicious PDF — malware analysis report

Static analysis result for SHA-256 557599c9726f25ca…

MALICIOUS

PDF

89.1 KB Created: 2021-04-06 14:54:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 772fe54389c8beda0d1d33bcf0344414 SHA-1: b7c80cf0b287d2c447edf6ccd9493471ab83f314 SHA-256: 557599c9726f25ca891145606bae3701c374956ff98719846a1171429feae673
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are flagged as unknown or potentially malicious, indicating a link farm or phishing lure. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links point towards a common attack pattern of redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=us+history+timeline+project
    • http://lalat.space/electron_configuration_energy_levels_worksheetb8ecy.pdf
    • http://5coupon.info/free_music_s_for_iphones_offlinen8nss.pdf
    • https://cdn.sqhk.co/pesunexaxak/Nztfhiv/slide_away_miley_cyrus_ukulele_chords.pdf
    • http://wupemokabate.scienceontheweb.net/amazing_grace_organ_sheet_music.pdf
    • http://lerimofo.mywebcommunity.org/bizewexur.pdf
    • http://zaxegod.getenjoyment.net/36111126577.pdf
    • http://doridusa.medianewsonline.com/bbc_learning_english_grammar_challenge.pdf
    • http://ipoteka.net/remington_700_bdl_30_06_synthetic_stock_for_saleda0y0.pdf
    • http://jefevivavifax.scienceontheweb.net/what_colour_is_quinacridone_magenta.pdf
    • http://oneshops.space/bubebumpc8j6.pdf
    • https://cdn.sqhk.co/fobusobapeji/hjajbjj/37500907237.pdf
    • http://libertinemodels.com/xaxajo6u9or.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f635e5d9-31b1-4f19-b758-7a623be10181.filesusr.com/ugd/6cf0f5_51ff7b23730b489c9bccbaefe1140eb0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9adffa37-b2b1-4cdc-9cd1-4daf6482adf2/interior_design_course_in_delhi_part_time.pdf
    • https://198d5876-2e36-4a54-a59d-b4c1060b65be.filesusr.com/ugd/4733ca_08bc61617857467cbc3df2b5ba27f065.pdf?index=true
    • https://86042ffc-9b62-460b-8552-fb2522205a17.filesusr.com/ugd/4f92c1_492c769bd1b649b2a9ed422c4109cf64.pdf?index=true
    • https://uploads.strikinglycdn.com/files/abde3667-2c53-4903-8ca4-6fc5c309aaaa/tuxeraroliluxopamenowa.pdf
    • https://uploads.strikinglycdn.com/files/aefae923-bce1-4c06-a1f4-7360f7de7e96/31176579002.pdf
    • https://uploads.strikinglycdn.com/files/e160ea22-cf8f-4df9-8591-c7cc086c66d8/zoom_505_ii_user_manual.pdf
    • https://uploads.strikinglycdn.com/files/c9e1adfb-3f0e-44fb-af2a-9393ada6ba1f/manual_de_primeros_auxilios_cruz_roja_mexicana_2019.pdf
    • https://uploads.strikinglycdn.com/files/c0b41cb9-c56d-4c18-8f45-2e4b1db41221/the_spirit_of_laws_main_idea.pdf
    • https://8c285b57-3156-47ce-881b-df665acc117b.filesusr.com/ugd/8d46c2_45acd69d5cf04d2e84c51f7f7107923d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/30429be9-8dee-4644-8275-aa6bd4bee763/17308052008.pdf
    • https://uploads.strikinglycdn.com/files/a09c7497-3962-4987-a42a-a583ff6df0a6/vumuzemiluluxof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000111b1.bin
a463c0ac406822391397bd1fb9df716a63106b85a2899bd8460f930ff7eceecc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111B1 5132 bytes
font_01_sfnt_off00012305.bin
5e66b3f0134190787e5c78f2695cbbf409b4fdb69a8f89f28e2040741e17fdf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12305 4104 bytes
font_02_sfnt_off00012e4d.bin
7facaaade6e6d26e797eb3702c464c0d3485cc885f7bfc7ae66660f3b6f7ea93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E4D 11328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.