Malicious PDF — malware analysis report

Static analysis result for SHA-256 57b11eae18aa5025…

MALICIOUS

PDF

77.5 KB Created: 2021-04-03 07:53:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b1e565f74eb4beae844190a2f6747217 SHA-1: d25c2ad1487f9c3d005f11a7da1d2a85f1dae654 SHA-256: 57b11eae18aa5025b45b9b97edf7f3994ad83d2a8d68e248d8e876dd7c07fc8b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to seemingly unrelated PDF files, suggesting a link farm or SEO manipulation tactic. One prominent URL, 'https://jumiwimov.ru/strik?utm_term=why+isn%2527t+my+cricut+iron+on+sticking', appears to be a lure, likely leading to a phishing or malware download site. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or trojan delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=why+isn%2527t+my+cricut+iron+on+sticking
    • https://static.s123-cdn-static.com/uploads/4377656/normal_5ff2848c4de91.pdf
    • https://cdn-cms.f-static.net/uploads/4421957/normal_604d13532338a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5ce43ca3-cbb3-4e1c-8849-2ee35521acd7/tuxiterubawodof.pdf
    • https://uploads.strikinglycdn.com/files/2963525c-3889-4a62-b4e3-4d925d47a080/zakabaxuk.pdf
    • https://uploads.strikinglycdn.com/files/f6d74ce5-e1ad-4266-993f-0bf92a4532aa/kiwipaderewofexumoxerex.pdf
    • https://uploads.strikinglycdn.com/files/8b7e3d18-8536-4695-b9f7-25b7acb5ec82/the_hiding_place_study_guide.pdf
    • https://e590c0d9-b694-44fb-9862-47327b30d8b0.filesusr.com/ugd/89363e_d41c763d0c4646bc82f3f54fee8e895a.pdf?index=true
    • https://0a01f052-6ee6-4bfa-868d-d2e49373b03f.filesusr.com/ugd/55f640_270c2e94c46343fba54bc944dc0c3950.pdf?index=true
    • https://uploads.strikinglycdn.com/files/411f3b8f-c678-42d0-af48-b6d85bae68f2/72657135693.pdf
    • https://uploads.strikinglycdn.com/files/26d19667-8cc4-47fe-9f46-7a7bd8c2af6d/can_you_add_memory_to_a_samsung_chromebook.pdf
    • https://uploads.strikinglycdn.com/files/2522c3fb-e4ea-4543-88b7-fbd8e11527cf/7240583120.pdf
    • https://s3.amazonaws.com/waxegatulo/campbell_biology_chapter_17_study_guide.pdf
    • https://uploads.strikinglycdn.com/files/904e98b4-4b24-480b-84ba-ebb852b78fca/how_to_reset_lexmark_printer.pdf
    • https://uploads.strikinglycdn.com/files/7466466a-ea92-40dc-b727-0620fcbd6f78/70726065249.pdf
    • https://aa4c2489-c93b-4667-afab-104bf5323bad.filesusr.com/ugd/8b49c6_1078791f242644e7bfbe8054de425a46.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7c79d70a-8841-444c-86fe-dbb1e102fbdc/what_can_i_mix_with_crown_royal_black.pdf
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_44319d5e07534d21ad7f87d8bff016fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a958764d-76cc-4a68-b28c-9cf239387062/lokewewakajizumede.pdf
    • https://s3.amazonaws.com/desenaz/complete_blood_count_report_template.pdf
    • https://s3.amazonaws.com/jivamubug/prentice_hall_gold_algebra_1_answer_key_form_g_6-6.pdf
    • https://uploads.strikinglycdn.com/files/8208ae85-18f7-43b7-9d00-810ca60046ad/what_is_the_difference_between_formal_and_informal_definition_of_words.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f167.bin
c0fc05a80508bd982a36b2a9d467435be137cd2876b626e2205386980e483ea8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF167 5184 bytes
font_01_sfnt_off00010301.bin
5503e3d30353ce4f00a3b02a97ad37a35a3273239a46f774a8251c24bb0b44ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10301 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.