Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a34ec2169dede0b…

MALICIOUS

PDF

70.8 KB Created: 2021-03-17 00:04:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e2e092c875beda874de725b99dc07d3 SHA-1: ba5e827f8f7629f6adda62ff74db7a15d7590da5 SHA-256: 5a34ec2169dede0b7b57291c2acc040a5dada9cde2c84edf5dd3dc62c0c600ad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan-like behavior. The heuristic firings reveal a significant number of embedded external links, suggesting an attempt to direct users to potentially harmful websites. The presence of external URIs and a link farm heuristic points towards a malicious document designed to exploit users through deceptive links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=ghana+national+anthem+%2528ringtone%2529
    • https://kanazotevixif.weebly.com/uploads/1/3/2/7/132740718/6136686.pdf
    • https://rukepeninosiwul.weebly.com/uploads/1/3/1/4/131406291/fb58aa420e.pdf
    • https://buzezofolo.weebly.com/uploads/1/3/5/9/135964700/c3d2967.pdf
    • https://menafove.weebly.com/uploads/1/3/1/4/131438456/5760076.pdf
    • https://nuzozixajalupik.weebly.com/uploads/1/3/0/7/130739607/vofuvirabalovaxo.pdf
    • https://nevofegef.weebly.com/uploads/1/3/4/8/134851200/b9e8b246ce98e.pdf
    • https://keromarire.weebly.com/uploads/1/3/0/8/130873863/nizoguzaronegidame.pdf
    • https://kajavowonedefa.weebly.com/uploads/1/3/4/8/134858644/nisow.pdf
    • https://sozatoma.weebly.com/uploads/1/3/4/4/134484551/rusiloxajo-woridotowujusev-fixumewififu-nawaxa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://7722bba5-72ad-4d15-a72d-9ce9fbdcf1b5.filesusr.com/ugd/772ad5_12134f175f194fe092b5954febcd230e.pdf?index=true
    • https://s3.amazonaws.com/pugomonapoxuxe/typescript_blob.pdf
    • https://cc0b58a5-7bf4-4b41-9cd7-d9bc0cd2cc6f.filesusr.com/ugd/6dc98b_a370020a71ee4fada3078b4f8db9d03b.pdf?index=true
    • https://527ed197-5826-4432-9c89-449afa9d705e.filesusr.com/ugd/65ef70_1258444a36ee475b9a14ced7e39ddff6.pdf?index=true
    • https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_f098d7c29eef44c8ae1a42dcebda8ff9.pdf?index=true
    • https://s3.amazonaws.com/bitajemisajoz/open_ti_bioscope_full_movie.pdf
    • https://uploads.strikinglycdn.com/files/be801c32-7fc8-43e5-80ed-2b74c261c614/ms_word_2007_shortcut_keys_in_hindi_download.pdf
    • https://314a97e4-cc7b-499c-a999-42b15fb65c39.filesusr.com/ugd/fa4a73_2cd6bce075d8455c9f1ef1bb1722896d.pdf?index=true
    • https://s3.amazonaws.com/jenisozazewubo/china_business_visa_application_form_india.pdf
    • https://7322f44d-5cb7-45f5-8521-a79093f6ce74.filesusr.com/ugd/dd0890_0a234e8194da420bba8083646dc6b7d6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/23bbd5a5-bb30-4f1c-8db7-f296351709f2/webavarakidusarixazo.pdf
    • https://s3.amazonaws.com/retobifulipo/how_to_find_the_value_of_f1_on_a_graph.pdf
    • https://689a2394-1721-4ce0-b6f7-af9f1dc0d621.filesusr.com/ugd/0f5b72_0a3c0c90212d4023bdd472cc9271134c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d50d.bin
e2695ebef24d0f61537bd8fd24bd867526829dbff1afe250e797c43c8c381bd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD50D 5108 bytes
font_01_sfnt_off0000e651.bin
cc24115326492608e0cf36893b4ee3c57c6853579159c970f3979353f94862b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE651 11564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.