Malicious PDF — malware analysis report

Static analysis result for SHA-256 592d4c57818eb4fb…

MALICIOUS

PDF

108.3 KB Created: 2021-03-22 03:25:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: faab1069801a8a32ac579ae8f24528ed SHA-1: 11e1f32e63c0968c6f3c311678159d05adb8868e SHA-256: 592d4c57818eb4fb462de045efe69bc52c7719c4e86cb0374f391cc3a353fd7e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The primary URL, 'https://pelibifir.ru/wix?keyword=bpl+point+table+2020+highest+run', is likely used to redirect users to malicious content. ClamAV also detected this file as 'Pdf.Phishing.Trojan'. No scripts were extracted, but the structure suggests an attempt to leverage SEO techniques to distribute malicious PDFs or redirect to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=bpl+point+table+2020+highest+run
    • http://tirojegexo.iblogger.org/91478614140.pdf
    • https://cdn-cms.f-static.net/uploads/4454182/normal_603c14a1cae50.pdf
    • https://sudarotabodubig.weebly.com/uploads/1/3/1/4/131407445/dudamubejali.pdf
    • http://nextauto02.ru/655944969499vf4q.pdf
    • http://japancar-sib.ru/juferogubejiwefudauwp5m.pdf
    • https://ginadilu.weebly.com/uploads/1/3/4/7/134768391/6515315.pdf
    • https://lubafotet.weebly.com/uploads/1/3/1/3/131380208/4332445.pdf
    • https://jufozawuvinuxak.weebly.com/uploads/1/3/5/3/135326647/4730977.pdf
    • http://vashobereg.com/7180582005546gy0.pdf
    • http://svarka-aurora.online/30814428784gkbbv.pdf
    • https://gisunada.weebly.com/uploads/1/3/1/4/131409009/tevuku.pdf
    • http://ritual-venki.online/watch_james_bond_spectre_putlocker8fict.pdf
    • http://xabiferego.iblogger.org/how_much_does_it_cost_to_rebuild_a_lawn_mower_engine.pdf
    • https://static.s123-cdn-static.com/uploads/4393752/normal_5ff086f55e9ea.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fosalizuzu/pukomad.pdf
    • https://s3.amazonaws.com/defujo/lotimitesuvivuv.pdf
    • https://s3.amazonaws.com/ponivotigegepub/vonutodam.pdf
    • https://s3.amazonaws.com/vinivuxo/business_income_manual_gifts.pdf
    • https://s3.amazonaws.com/zakunafu/momafedopesos.pdf
    • https://s3.amazonaws.com/kiguteperilodu/40844466445.pdf
    • http://famirasavu.epizy.com/hisense_40_s4_fhd_smart_led_tv_review.pdf
    • http://jufofokisib.epizy.com/antenatal_fetal_surveillance_guidelines.pdf
    • https://s3.amazonaws.com/polojuliragam/badatodizev.pdf
    • http://velirixegu.rf.gd/popibaga.pdf
    • https://s3.amazonaws.com/verirejon/bratislava_tourist_information_office.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000143ec.bin
2e127c9addb55c3d9c90bcde7fd0af42061e4b72bd93f876868a0f046eb261b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143EC 5544 bytes
font_01_sfnt_off000156b9.bin
a6e759c90a6e2b97901bfd00dce9ab77653361511346f7763f72a0d78b8413e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x156B9 11924 bytes
font_02_sfnt_off00017c08.bin
6372b6cb373069f0f0e91707bc8b899fdf88ba964f3fc9d364bd1380a9357287		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C08 10744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.