Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c2835523d07bf14…

MALICIOUS

PDF

70.8 KB Created: 2021-03-15 16:44:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 248d827fb3047e171e48d66ae0f6b566 SHA-1: 65d4237f9dabe05e9bbbb9306f8d33c4aeb95240 SHA-256: 5c2835523d07bf14b317dcc92f3ef578409d574821b9a5e5af206d5c1963dadb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or malware distribution lure, as indicated by the 'PDF_SEO_LINK_FARM' heuristic and numerous external URLs. The document body, though heavily obfuscated, contains references to document conversion, suggesting a pretext to drive traffic to malicious sites. The presence of embedded JavaScript, though not explicitly detailed in the provided evidence, is a common technique for exploiting PDF vulnerabilities or initiating further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=convert+asciidoc+to+pdf+online
    • http://bella24.xyz/intel_pentium_audio_driver_for_windows_7_32_bit_free_download17a1q.pdf
    • https://pokukumujipuk.weebly.com/uploads/1/3/1/8/131856200/dowesuz.pdf
    • http://draiwenstore.online/20931160366sku7z.pdf
    • http://luxasireku.sportsontheweb.net/how_to_fix_moto_360_battery_life.pdf
    • http://cesaregaspari.com/nobuzuxujokat0oo5z.pdf
    • http://pinopizo.sportsontheweb.net/tp-link_tl-wa850re_user_guide.pdf
    • http://crysety.xyz/tadinodafs0maa.pdf
    • http://pressit.space/aprender_ingles_rapido_gratis_y_facil2wb17.pdf
    • http://gekifek.scienceontheweb.net/240540540.pdf
    • http://nekidifuton.medianewsonline.com/70556817509.pdf
    • https://xexemisekugo.weebly.com/uploads/1/3/4/6/134679242/61b73.pdf
    • http://tukameduk.22web.org/java_project_with_synopsis.pdf
    • https://rasozonikazip.weebly.com/uploads/1/3/4/9/134904665/4b379d4bc49.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b3709dad-42f4-4621-9b7e-74d31ca978cd.filesusr.com/ugd/f91cf1_07f5784b4ffa48b4a0c955d48272f12b.pdf?index=true
    • http://fifawuzajulolu.rf.gd/garmin_dash_cam_55_vs_65_review.pdf
    • https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_c1a3d22de2214424a2c53068fd9daa6a.pdf?index=true
    • https://246406bc-bb0d-4f29-baed-d8a6153a9543.filesusr.com/ugd/3ddeef_054f68a82405404bae773132e6bc018a.pdf?index=true
    • http://jujobope.atwebpages.com/43645147500.pdf
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_2915e16e9aa0487a8d4b30a85c62c5e5.pdf?index=true
    • http://nisetekotixob.myartsonline.com/dafegagut.pdf
    • http://saluwagasa.onlinewebshop.net/who_invented_the_first_cell_phone_and_why.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9c7.bin
51157fc75568aea47eba3347f84da8a884b8679ec14aeccebca89a16e135497d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9C7 5116 bytes
font_01_sfnt_off0000eb41.bin
7b8cb34d8c34a7b72d33084979c1b816f0df3b1348ec2a0e249f3312a8a9798b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB41 10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.