Malicious PDF — malware analysis report

Static analysis result for SHA-256 5697d15d78b2e077…

MALICIOUS

PDF

78.6 KB Created: 2021-03-17 05:00:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a224428aeba7c64c9703f7b7fd0d506d SHA-1: 7ec7fef579730da8cba00f58d1aad1dac1ec119c SHA-256: 5697d15d78b2e077351e76b810e44d4ffed6505a46478a31db5fc9e8778f10a0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a primary focus on a URL related to 'Zen & Yoga', suggesting a lure for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure and embedded URI heuristics point towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=zen+%2526+yoga
    • https://cdn.sqhk.co/tamenotu/ihHihia/cucumber_eclipse_plugin_zip.pdf
    • https://cdn.sqhk.co/nawovoso/hjaVjeG/strategic_management_resource_allocation.pdf
    • https://cdn.sqhk.co/mawejoxejobe/gjeWgc1/multicraft_login_page.pdf
    • https://cdn.sqhk.co/velomegu/iQhjTaD/the_crossing_church_columbia_mo_service_times.pdf
    • https://cdn.sqhk.co/mixaluwekitu/QNhbIjf/8563980243.pdf
    • https://cdn.sqhk.co/zolewiko/FgghcOx/song_from_tribe_called_quest_space_program.pdf
    • https://cdn.sqhk.co/gobajejuz/gcjbrch/wyze_plug_alexa_server_is_unresponsive.pdf
    • https://cdn.sqhk.co/sujubowip/gjhiMij/sector_14_faridabad_haryana_pin_code.pdf
    • https://cdn.sqhk.co/pixukinoma/ihajbCc/sarcasm_meme_meaning.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://32cf4326-ba62-484c-a3ca-05d02c2dd2e5.filesusr.com/ugd/0b46e6_0b58e4be32144c37ab3eaabab762b177.pdf?index=true
    • https://3fb740b9-71d8-4183-8edb-de11b68c0a29.filesusr.com/ugd/1fbf8b_4a8e562fc328456496d8e3d7447d6cd6.pdf?index=true
    • https://a52dd608-e7dd-4d50-8005-e0fd7a3896b4.filesusr.com/ugd/43d2fc_c8db7fb2c5004455b6234a63534ef10c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a5480b7f-18a0-464c-beb3-f2f7ad83932f/how_to_start_a_mom_blog.pdf
    • https://uploads.strikinglycdn.com/files/51499c52-4105-4868-8b0f-e49fcb057d4d/xozirogomavosufajuw.pdf
    • https://4c6480a9-ccec-4c20-853c-cc48681c44ad.filesusr.com/ugd/935adc_428df73732be469a8ba58dabd6e1cfd6.pdf?index=true
    • https://ae26bae5-b1f3-4fb2-a0ba-5d2f2d23988c.filesusr.com/ugd/aec2ea_9e043593fa4740d785d9dd3200a9d6fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/89a03013-0414-4ca7-8ce4-8798ab18033f/cool_things_to_draw_for_beginners_step_by_step.pdf
    • https://uploads.strikinglycdn.com/files/f3614a55-6114-497a-b9ac-46dd691ee0af/xewuwuzumidedavetedub.pdf
    • https://uploads.strikinglycdn.com/files/de8781de-4aff-495e-b5a1-55394eaede40/vobipa.pdf
    • https://3176e400-c268-4dc0-8d69-08eae86937f8.filesusr.com/ugd/ea2f88_cb2ba520755643f0b3fb8e5970e98764.pdf?index=true
    • https://acbe2b0b-ee64-4eea-b0ce-372b1aa9cc7a.filesusr.com/ugd/4bcc67_d7faa92a878348a299cb7c5a6f7c6017.pdf?index=true
    • https://b86313a8-447b-404d-ae6d-bc69740d899e.filesusr.com/ugd/e54fc7_904dcc8181de476ba42657ee0c7a98fa.pdf?index=true
    • https://6d251753-49d0-4f5b-a278-10ed1cacc9d0.filesusr.com/ugd/5c139a_11a63b3e03054faf8e6de537b75731ab.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f967.bin
1f0a65d923fc92ffbfaec920370b283bd96573c75978b397e4f8d8518c3f8aad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF967 4112 bytes
font_01_sfnt_off0001076c.bin
2d7867ab3d22162293f2edd327ee5fd83e67ccc12f21d9e09a68b28af41f6b16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1076C 11056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.