Malicious PDF — malware analysis report

Static analysis result for SHA-256 59c8366947e6f657…

MALICIOUS

PDF

96.7 KB Created: 2021-04-03 21:19:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78e26f320a6ac51516f7d7aff1f5038d SHA-1: 7348c794bd73addeb6f3956e1d9d26dfc2f747ec SHA-256: 59c8366947e6f657449a6723ea40fbb780e8d9af31eefcd0ca9e28189f802c22
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or a method to distribute further malicious content. The document body, though heavily obfuscated, appears to be related to cancer treatment, likely a lure to encourage users to click on the embedded malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=tratamiento+cancer+de+mama+pdf+2020
    • https://pirebuvix.weebly.com/uploads/1/3/2/7/132710697/0e7f718ab358b02.pdf
    • http://ygrash.website/operation_alamelamma_songs_freepjjwq.pdf
    • http://hugertely.xyz/62224829444yc78z.pdf
    • https://xasirazabad.weebly.com/uploads/1/3/4/6/134699738/6586139.pdf
    • https://cdn-cms.f-static.net/uploads/4427519/normal_60210c066ae0b.pdf
    • http://raisinslabs.club/delta_20_inch_band_saw_tiresvy4uf.pdf
    • http://chebsvet.ru/97859018226osa1h.pdf
    • https://static.s123-cdn-static.com/uploads/4369788/normal_5ff6675d8d4c3.pdf
    • https://wovikuzejujitij.weebly.com/uploads/1/3/4/5/134506660/sobojulewekija.pdf
    • http://idealica-columbia.site/ti_36x_pro_calculator_batteryiihqq.pdf
    • https://static.s123-cdn-static.com/uploads/4379602/normal_5fe1122d7ebca.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/61a86de2-52c4-480c-960c-faf8818a0bc0/37904399025.pdf
    • https://uploads.strikinglycdn.com/files/b321551b-a4db-41fb-9ea3-72cd006532c7/terrorist_attacks_around_the_world_since_9_11.pdf
    • https://uploads.strikinglycdn.com/files/b740af02-111a-44be-bef0-c27025db1387/58775409496.pdf
    • https://uploads.strikinglycdn.com/files/eae14bdc-0fbd-4ba5-82ad-fc62c16f4781/16020628174.pdf
    • https://9aef9be9-4304-4ec6-b02b-ded1eabc5d1b.filesusr.com/ugd/a571b8_c29f963fe43a4232a6f746b5e65dc406.pdf?index=true
    • https://uploads.strikinglycdn.com/files/86bb45e0-0605-45a5-9cde-6341fb64a161/wezobowifapojitisajegit.pdf
    • https://50b44c92-959e-4a15-bf83-93d6b2b518d6.filesusr.com/ugd/3ed44c_2ebb55cb3cc340d4987ca6a5ac958af8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/54349a53-b0e8-41af-80b4-90368303e662/34363573724.pdf
    • https://uploads.strikinglycdn.com/files/6f87fb37-b908-48b4-a816-769f13c078e0/lomiwut.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013ca3.bin
a160b3424ec3e089b5be1337bd41c92b194a1ca65aa3580e9a069b2e3a563619		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13CA3 5312 bytes
font_01_sfnt_off00014e9e.bin
6186d758b39a67f0497b9f535e29eec0b2b68272ef77d7b95cdf0899e3a77a86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E9E 11484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.