Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ac52c8cb9a1e217…

MALICIOUS

PDF

87.8 KB Created: 2021-03-25 16:00:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd01619300510a232220cd7300699a47 SHA-1: 255c190073b07aff504dba5818e71130ce54e128 SHA-256: 5ac52c8cb9a1e217712761638f34ab86dcc84c01f28cbc78a49d2a0f2e688adc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which point to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' and 'PDF_URI' heuristics. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics further support its malicious nature. The document body, though heavily obfuscated, suggests a lure related to 'Gre test prep books free', which is likely a pretext for phishing or a scam. The presence of embedded URLs and the overall structure point towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=gre+test+prep+books+free
    • https://nipoxumafoji.weebly.com/uploads/1/3/4/7/134717148/c94d33.pdf
    • http://unreguezff.rest/kanetamawe8rhxt.pdf
    • https://cdn.sqhk.co/zojoguxuban/djifpja/7921892533.pdf
    • http://outputqwvk.space/32255882333mpeo5.pdf
    • https://cdn.sqhk.co/rilowikapaz/eI0hcge/ranking_arcade_fire_albums.pdf
    • https://gawudizilox.weebly.com/uploads/1/3/5/3/135300959/8521ced60ebf.pdf
    • https://nolaxefipox.weebly.com/uploads/1/3/4/7/134740184/jarifoguwafeji.pdf
    • https://vonepegoparopew.weebly.com/uploads/1/3/4/3/134352316/gokopowulal_sinivijotafaj.pdf
    • http://slamelina.website/335325802758opxs.pdf
    • http://trikotoria.ru/nakeliwetusudubavifu0bxpt.pdf
    • https://zoxanomo.weebly.com/uploads/1/3/1/1/131163640/8122174.pdf
    • http://changepass.online/sandisk_clip_sport_playerhtttj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/0fd2f995-87cc-479c-81d2-0ef881e251ce/acer_aspire_one_mini_laptop_keyboard_price.pdf
    • https://93a2b5bb-aecd-41dc-861f-07dcdefec443.filesusr.com/ugd/dee83c_33b115117dc240399443d08a689b8134.pdf?index=true
    • https://uploads.strikinglycdn.com/files/75ce69d0-63ba-4644-9e85-13161140ecfa/pretty_little_liars_season_3_episode_2.pdf
    • https://uploads.strikinglycdn.com/files/c2662663-de73-44fe-a814-040f961cc93c/22902980347.pdf
    • https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_c05a4fdc1a44481d8c6dd21afdbdbfd2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/00d8903f-ede1-4f0d-bbed-695e584f1ace/acer_aspire_v5-122p-0408_drivers.pdf
    • https://uploads.strikinglycdn.com/files/ea52234d-3358-4605-a4ea-4555d9944c50/moxobefatadebaru.pdf
    • https://uploads.strikinglycdn.com/files/950c47e0-719f-4098-9b58-847b8a59fb61/54745795673.pdf
    • https://uploads.strikinglycdn.com/files/04e9e423-5405-40df-8e4b-f393bf5a4565/gemini_alarm_system_battery_replacement.pdf
    • https://083189c9-8220-4687-a375-57be19a37228.filesusr.com/ugd/909b15_59de632250d14eaaa5e63578cc1d7115.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c2f.bin
0a0fe900a4657d1d19ea8863a1437092803495e0b1f95f8d846dcd8fd07158d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C2F 4524 bytes
font_01_sfnt_off00011ba3.bin
e0225b17f4d589fdd798e4b97b1467131854493b29b4b058af52317dd4985f12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BA3 11776 bytes
font_02_sfnt_off000143b2.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143B2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.