Malicious PDF — malware analysis report

Static analysis result for SHA-256 5870406c586160a6…

MALICIOUS

PDF

99.7 KB Created: 2021-03-18 00:04:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e3e35f8e8fb8ca19060b783ada00126a SHA-1: d90c29897a2b0595587256d8b5ead69eaccacd63 SHA-256: 5870406c586160a690d7cae1cbf2ee4c2deb13a2c68c6735a9a1a94ed6ba4e80
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF documents, indicating a link farm for SEO manipulation. One of the primary URLs, https://jacksth.ru/wix?keyword=chevron+cars+value, is likely used to direct users to malicious content or phishing pages. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=chevron+cars+value
    • https://cdn.sqhk.co/xixujipum/dMGjfhj/worst_game_ever_reading_comprehension.pdf
    • https://static.s123-cdn-static.com/uploads/4460446/normal_5ffec0076bcc2.pdf
    • https://cdn.sqhk.co/busumodofu/domjbO1/illinois_traffic_crash_report_chicago_police.pdf
    • https://cdn.sqhk.co/pobumepova/jhdicvP/parkour_for_minecraft_bedrock.pdf
    • https://cdn.sqhk.co/rujamuzizogo/NEQghib/best_ringtones_tamil_2019_download_share_chat.pdf
    • https://cdn.sqhk.co/girewobo/Iijrjo0/40904011933.pdf
    • https://cdn.sqhk.co/muzolorakow/eOjbhts/22248950198.pdf
    • https://cdn-cms.f-static.net/uploads/4459177/normal_60157e5478a29.pdf
    • https://cdn.sqhk.co/sozodumupof/pgfghib/luridudo.pdf
    • https://static.s123-cdn-static.com/uploads/4446036/normal_6007d0214dc24.pdf
    • https://cdn-cms.f-static.net/uploads/4453550/normal_60433fccd03a0.pdf
    • https://cdn.sqhk.co/lisesemafo/fObggiv/rocket_launch_video_nasa.pdf
    • https://cdn.sqhk.co/lapefuxolu/RHbYgd2/nerf_epic_pranks_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/294330f3-1528-4cbc-b6ca-182fdf124fb7/autocad_3d_to_2d_polyline.pdf
    • https://uploads.strikinglycdn.com/files/40a8e0bf-8bbf-4dda-ba25-85a76057fac4/dennis_zill_complex_analysis_solution_slader.pdf
    • https://uploads.strikinglycdn.com/files/6f00a4f7-425f-4b72-a5f1-642072d6fc8c/sowiduba.pdf
    • https://d86ad34a-7df2-4f47-937b-a12ab5abc0fa.filesusr.com/ugd/8cbfce_91d0cc964e054f008d40b7c0a2834a6f.pdf?index=true
    • https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_df53eff59306466cba97d252b8e897fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fbd9ee7a-f78d-4dd9-a43c-4a959a791463/blueant_q2_reset.pdf
    • https://39c1d623-eccb-4af0-a86a-15328a2d61f9.filesusr.com/ugd/3cb6cb_fcb97c6b5547497382bc07f7da3ae848.pdf?index=true
    • https://uploads.strikinglycdn.com/files/540c7edf-cb03-43c3-987f-fde5b2af3f74/integrated_chinese_textbook_level_2.pdf
    • https://a2fe464c-28d1-4db8-bb2d-552ad9bc2f4d.filesusr.com/ugd/941bb1_ee9a9138dd8e47d8968eebc3e65b3475.pdf?index=true
    • https://e510c2d5-567e-4a96-89ff-abc18316baf7.filesusr.com/ugd/8a9bcc_490b41b5b8a44653bb56939bd9b08e03.pdf?index=true
    • https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_48ce884f27f34a029ea87817a83b5228.pdf?index=true
    • https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_6027dcbbae3c48d093a2ef12de4669a2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000149db.bin
d3841cab6e18593731b1c33f1e6170a2f41e40c41693a433034d1f7f3742b78f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149DB 4852 bytes
font_01_sfnt_off00015a54.bin
08bc1ce83fdb5ba82fc8d35d71a978949ccbecd90d591cdd84dbe02ffa960634		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15A54 11444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.