Malicious PDF — malware analysis report

Static analysis result for SHA-256 56f9e65c8c576288…

MALICIOUS

PDF

74.2 KB Created: 2021-06-03 07:41:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca861ba73e883fa764620af9a1afc24a SHA-1: 7b5380c8d4d5efe897d779399f1f82e5f4f91f01 SHA-256: 56f9e65c8c57628833aff2652a391faf1908291fc2459d28ab4800b1cc6d667f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with one primary URL pointing to a suspicious domain. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded JavaScript, though not explicitly detailed in the provided evidence, is a common vector for such attacks, likely used to redirect users or execute further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/pbw?utm_term=cronache+dal+futuro+dienach+libro+italiano+pdf
    • https://static.s123-cdn-static.com/uploads/4389366/normal_5fef4e51b2b53.pdf
    • https://cdn-cms.f-static.net/uploads/4379851/normal_606c3e6bdfb61.pdf
    • https://cdn-cms.f-static.net/uploads/4457281/normal_600a3ceb9777b.pdf
    • https://rovupugefo.weebly.com/uploads/1/3/4/3/134359584/wudogemi-gozovosikev-zopodona.pdf
    • https://static.s123-cdn-static.com/uploads/4373757/normal_60039bcbbf205.pdf
    • https://static.s123-cdn-static.com/uploads/4414152/normal_5fd06c112c4de.pdf
    • https://cdn-cms.f-static.net/uploads/4469349/normal_6009da059880a.pdf
    • https://cdn-cms.f-static.net/uploads/4495985/normal_5fd76db0841f2.pdf
    • https://topuzuxet.weebly.com/uploads/1/3/0/7/130739133/9a05b857aa9.pdf
    • https://cdn-cms.f-static.net/uploads/4501361/normal_605f7d9230f9c.pdf
    • https://cdn-cms.f-static.net/uploads/4489041/normal_5fe98d352ee88.pdf
    • https://cdn-cms.f-static.net/uploads/4421352/normal_6056a8d709e1f.pdf
    • https://zavelodenewiguj.weebly.com/uploads/1/3/5/3/135314669/riwaravizu.pdf
    • https://cdn-cms.f-static.net/uploads/4373516/normal_601dbeee0c431.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/019c07ee-82ab-42bc-b71d-36a5f9e2434f/when_should_we_recite_surah_waqiah.pdf
    • https://uploads.strikinglycdn.com/files/f4966c9a-3d61-4911-9a47-957151ad015a/97600535231.pdf
    • https://uploads.strikinglycdn.com/files/add34dad-f299-47cb-b8a9-210fcd289a8a/does_amazon_have_free_giveaways.pdf
    • https://uploads.strikinglycdn.com/files/d8893ba0-5fae-403f-a493-a808c89ebac1/43368597982.pdf
    • https://uploads.strikinglycdn.com/files/7b6088eb-2ddc-4c31-88a1-30e808ca08e5/21249645008.pdf
    • https://uploads.strikinglycdn.com/files/e6a3298c-6c38-4b44-9712-369f85c7e3df/river_flows_in_you_yiruma_fingerstyle_guitar_lesson_tutorial_how_to_play_fingerstyle.pdf
    • https://uploads.strikinglycdn.com/files/53de63c2-a13a-49fa-b02f-1c58e388614c/what_does_the_bible_say_about_starting_fighting_back.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e578.bin
f2f0b5da31384a6e4cdf2b22c6f8140c82cd45690b6a77936411abf201b302ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE578 5112 bytes
font_01_sfnt_off0000f6c9.bin
ca584dd03bd9ce32e96cdbe55a0cb95acca7bae415055e085ba8b72409c1870f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6C9 11224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.