Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bb5d135028f703b…

MALICIOUS

PDF

70.6 KB Created: 2021-03-28 04:28:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 135a0e69f644cd3f2bf1647535410d71 SHA-1: 7755bf6b5cda18403cb3a390546865019358c397 SHA-256: 5bb5d135028f703b6c8cb6464cca5c3d3c4cd1564a987974aaed0b61b5491c31
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially harmful sites. The document body, though heavily obfuscated, appears to be a lure related to 'Taco bell shredded chicken burrito calories', which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=taco+bell+shredded+chicken+burrito+calories
    • https://teliwunamadawab.weebly.com/uploads/1/3/1/3/131381891/6794784.pdf
    • https://tugufotekaluxaz.weebly.com/uploads/1/3/4/8/134883762/6f4b7c12a94c2.pdf
    • https://papukelub.weebly.com/uploads/1/3/4/6/134666119/zuxibizar.pdf
    • https://tabuwesajusa.weebly.com/uploads/1/3/1/8/131856124/rixugozufeteso.pdf
    • https://cdn-cms.f-static.net/uploads/4485321/normal_6023c8bdcaef1.pdf
    • https://sobopagep.weebly.com/uploads/1/3/0/8/130873740/bovuxilutuxewu.pdf
    • https://cdn-cms.f-static.net/uploads/4466386/normal_602772e1771f4.pdf
    • https://mimejomukokije.weebly.com/uploads/1/3/4/5/134510045/lodit.pdf
    • https://cdn-cms.f-static.net/uploads/4413012/normal_6038e238d1b56.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_b3baac64ac4a4306a1ffecb0155ee326.pdf?index=true
    • https://46b09160-81f9-4cb3-9cca-f7b5b0c0229e.filesusr.com/ugd/179cc6_97a757c7ddd448b0a3be5c352f12ee6f.pdf?index=true
    • https://804b95bc-9ca4-448d-a094-5a8e1ff69a26.filesusr.com/ugd/99d1da_888c80f5a42844be92047a6da263865f.pdf?index=true
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_0079419905e9478085eb1862967b7bc0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bad0a9a6-678a-4c3a-917f-a738da3603a2/vutifogumepugewikafej.pdf
    • https://91506351-5699-48ce-85e7-8e7d071f4e87.filesusr.com/ugd/d775a9_21eebd91f55047a3b11452ac47708c34.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2773b4bb-cd25-4888-9b61-a1f74aece497/guraloxomopa.pdf
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_a447693d5be9482793c75930a2cde955.pdf?index=true
    • https://7ec9ed57-df89-401a-953b-45744c150cee.filesusr.com/ugd/6e3131_2ab74521b8d048a096dcb33ca563331a.pdf?index=true
    • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_4dd32cf445924cb8b5645535d661cd32.pdf?index=true
    • https://737c154f-ca75-4484-807d-9d5c19d76377.filesusr.com/ugd/7e84b7_646174b6af0b43a288369a05ea6a1928.pdf?index=true
    • https://6db1e9a2-4282-4636-8d41-de07325ad911.filesusr.com/ugd/d97b38_3fa3f595a53244d68bf79457c487b28a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d857.bin
0ae1a1d78e1dd4ed9405ccd13670e2b94cb855f2883dbd856c4fc42bc7dfb9fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD857 5180 bytes
font_01_sfnt_off0000e9e2.bin
0a71fc11c736246105abfc9c6c8bc138b3fccedb8bcc03be0a4146fe9a6b6d53		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9E2 10188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.