Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e2facb6a8f7bd8d…

MALICIOUS

PDF

79.4 KB Created: 2021-04-04 10:27:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ce8a9ef30f7340c42467cb07439dd314 SHA-1: dbafb79b3aa60ae6f7d33ffcdaea7cfd462117f4 SHA-256: 5e2facb6a8f7bd8d2c051f380be8e1a3ee61d6fea525a7adbe293527e8e683ea
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document contains numerous external links, suggesting it is part of a link farm or phishing campaign. The heuristic 'SE_REMOTE_SUPPORT_LURE' indicates the document's content likely instructs the user to install or connect with a remote support tool, a common tactic for social engineering. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=readworks+a+more+perfect+union+answers
    • http://pirizatifi.iblogger.org/best_bollywood_movies_sites_2018.pdf
    • http://20970907.net/jibodogadukodogorebpgbl.pdf
    • http://petrol-v-pol-price.site/nba_2k20_soundtrack_clean2bffp.pdf
    • http://takodevizol.iblogger.org/how_can_i_my_twitter_account.pdf
    • https://static.s123-cdn-static.com/uploads/4473656/normal_60021b2567de9.pdf
    • http://swast-group.website/ludosorarekamuboih2an.pdf
    • https://cdn-cms.f-static.net/uploads/4477400/normal_6019143b81e2d.pdf
    • https://static.s123-cdn-static.com/uploads/4408186/normal_5fefb674b29bb.pdf
    • https://cdn-cms.f-static.net/uploads/4447460/normal_6044cc975c824.pdf
    • https://static.s123-cdn-static.com/uploads/4448976/normal_5fce5e9a69359.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://18aefb47-0221-41c7-ace0-4f78eb33e730.filesusr.com/ugd/bca722_1ad644a6dc83400685e6ece792351e90.pdf?index=true
    • https://fa202315-5cd5-4006-9a99-7c5d4406650e.filesusr.com/ugd/61804c_3c81f53fcb4f48dfa8063d91deda4e2c.pdf?index=true
    • https://s3.amazonaws.com/bipovoromoj/xewumedaxipogugafaxire.pdf
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_079e35407b634858baf8bce66d34fb4d.pdf?index=true
    • https://s3.amazonaws.com/jesidofefe/79589277812.pdf
    • https://650c977b-0274-48a2-8498-43c0efc39f4e.filesusr.com/ugd/dbad32_96f9a1882c3a4ca3a803b3baf6ea419c.pdf?index=true
    • https://9dd02728-8b0e-4c16-8a5b-31b14a6ec887.filesusr.com/ugd/d8c3ed_77d9bd9fe65a4ebea230d25d882c732d.pdf?index=true
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_cca0fe129de641ae9d6a5f12a5258f1e.pdf?index=true
    • https://9042e326-c85f-44e6-b9b6-0c206471fdba.filesusr.com/ugd/0d2fda_6e0066145a564da3a8cff3cea51c43e0.pdf?index=true
    • https://s3.amazonaws.com/zarelusipofox/chapter_10_dihybrid_cross_worksheet_practice_problems.pdf
    • https://7133fc40-0b9c-4701-b953-e7fafc934b44.filesusr.com/ugd/70a38d_719b62954cd640dbaa1b6fad402fb3a2.pdf?index=true
    • https://s3.amazonaws.com/sonutopexaramuf/ziriwefef.pdf
    • https://s3.amazonaws.com/wutezigojuxi/botanical_line_drawing_peggy_dean.pdf
    • http://buwojilow.rf.gd/cell_structure_components_and_functions.pdf
    • http://karapazixegipi.epizy.com/diffraction_grating_and_emission_spectra_lab_report.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec79.bin
26ae6fe42ca64f7ea65a62c46c5ddc13117661b3810cd62f94f251276b1da295		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC79 5312 bytes
font_01_sfnt_off0000fe8d.bin
525d7f5c95f94b2d8feefa24a0d063d94a0f4560b6f369ac2490b9d09fbb8a1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE8D 10340 bytes
font_02_sfnt_off000121fb.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121FB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.