Malicious PDF — malware analysis report

Static analysis result for SHA-256 57371f2e1a23f51e…

MALICIOUS

PDF

97.3 KB Created: 2021-03-15 22:12:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e1be60dde7062efd6fadf4d2f2515f2d SHA-1: 2ae82be6bd3b6801eb59ee2d0bb774e4e476fce5 SHA-256: 57371f2e1a23f51e8ec45e19dfc9f7da74e36fe52f8fb826d07e8c9bbc493ad1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier also indicate maliciousness. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of malicious intent, likely to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=reaction+of+esterification
    • https://cdn.sqhk.co/terodekijur/4OidOid/52889011872.pdf
    • https://cdn.sqhk.co/zezerixuwab/hxVti2a/download_videobuddy_for_iphone.pdf
    • https://fosevikotik.weebly.com/uploads/1/3/1/6/131637163/83214.pdf
    • https://cdn.sqhk.co/tobijoge/icajihj/22148248795.pdf
    • https://cdn-cms.f-static.net/uploads/4383687/normal_5fdbafb9a7181.pdf
    • https://cdn-cms.f-static.net/uploads/4496818/normal_5fd95bc590fd7.pdf
    • https://cdn-cms.f-static.net/uploads/4477892/normal_5fd9809b80237.pdf
    • https://simokenuma.weebly.com/uploads/1/3/5/3/135311421/pajaken-gujowoserinizu.pdf
    • https://cdn-cms.f-static.net/uploads/4371495/normal_60130636d4851.pdf
    • https://xedowekogo.weebly.com/uploads/1/3/4/6/134609622/rusili.pdf
    • https://static.s123-cdn-static.com/uploads/4393483/normal_5ff866ec0a141.pdf
    • https://static.s123-cdn-static.com/uploads/4489979/normal_5fef0fad8a35b.pdf
    • https://static.s123-cdn-static.com/uploads/4468289/normal_5fefe08819d21.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://45dcde1a-aed5-4138-b95e-a0f768a283bf.filesusr.com/ugd/89441e_cd964dc266e547a4ae3a023468dc8f95.pdf?index=true
    • https://dae57379-2785-4108-a223-4562ecbfc22e.filesusr.com/ugd/87ad98_0860e061420a4dce83de68b80b84df34.pdf?index=true
    • https://0a3c8164-ddd9-4522-8472-457ce31ece15.filesusr.com/ugd/d32f78_b3d42dc7b7e04e39bc45a6ac861f0177.pdf?index=true
    • https://s3.amazonaws.com/fapaga/95504437716.pdf
    • https://s3.amazonaws.com/xugigabitulu/73046022775.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000127b4.bin
344b0429897a5c49c1fa852cf8f304f6007b4a97712a94089be4789ca6ce8c6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127B4 4848 bytes
font_01_sfnt_off00013849.bin
c368728bbe093f44fe07d227e2ba78cf5008469b1fa1af521e6d8e8ba2453f5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13849 12944 bytes
font_02_sfnt_off00016354.bin
f4f5fb0209a4714c3cbdfe9b8e29dbdabffe5d2cbe58e8cc741460ff97ba63ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16354 16100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.