Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ef25d2cfc31f301…

MALICIOUS

PDF

117.5 KB Created: 2021-03-20 00:30:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31a97ff853cf29adee1ccc15b247f1e6 SHA-1: dd4178a569a4e1f5d39597dd6dbea9d9986b822e SHA-256: 5ef25d2cfc31f3018ac97203f476635a88d89a5254743cd48ae5ba660b7387eb
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics and an ML classifier, including detections for phishing and trojan activity. It contains a large number of external links, with one pointing to a suspicious domain ('maypoin.ru') and another to a potentially malicious PDF hosted on AWS S3. The presence of embedded PDFs and numerous external links suggests an attempt to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=poetry+analysis+worksheet+answer
    • http://zoguponuwuxoli.medianewsonline.com/81832697184.pdf
    • https://nemelodanunoju.weebly.com/uploads/1/3/0/8/130874480/narolox_tusolavulogu.pdf
    • https://bawidonawasaz.weebly.com/uploads/1/3/4/3/134354070/gibavixeven_garigun_nakutav_biruzojev.pdf
    • http://pikegupima.medianewsonline.com/lomijizujejixoxugurotu.pdf
    • http://nekuwagibajese.getenjoyment.net/oracin_al_espritu_santo_para_sanar_un_enfermo.pdf
    • https://jafofuwozag.weebly.com/uploads/1/3/4/3/134320688/25970.pdf
    • https://regifedemez.weebly.com/uploads/1/3/1/4/131406591/8430680.pdf
    • http://komaxinatobofe.medianewsonline.com/28875589219.pdf
    • http://vizenam.medianewsonline.com/puzumariwumufujali.pdf
    • https://dolilufaxeni.weebly.com/uploads/1/3/2/6/132683246/6147004.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tobaziw/jojupakakutisanukaje.pdf
    • http://namepafubi.atwebpages.com/beyond_compare_download.pdf
    • https://s3.amazonaws.com/baxunaf/morning_worship_songs_audio.pdf
    • https://s3.amazonaws.com/gofilafixu/wexale.pdf
    • https://s3.amazonaws.com/kiremefegonar/apology_letter_to_customer_complaint_template.pdf
    • https://uploads.strikinglycdn.com/files/a2d8c05b-35fd-4900-a38b-056cc5a53034/how_to_host_at_a_restaurant.pdf
    • https://s3.amazonaws.com/dudigonifu/olx_ro_apk_old_version.pdf
    • http://teluroluxeterez.myartsonline.com/what_causes_a_transmission_to_get_stuck_in_gear.pdf
    • https://uploads.strikinglycdn.com/files/774d30b0-c65c-4f4c-84cd-5c87dc98a272/1991_craftsman_gt6000_specs.pdf
    • https://s3.amazonaws.com/defipedibe/what_is_a_spider_computer_lingo.pdf
    • https://s3.amazonaws.com/ginutu/checkbook_register_google_sheets.pdf
    • https://s3.amazonaws.com/perurulexi/are_stock_market_open_tomorrow.pdf
    • https://s3.amazonaws.com/timeziso/animal_tissue_culture_books.pdf
    • https://s3.amazonaws.com/tozaduliwubega/bookkeeping_spreadsheets_for_small_business.pdf
    • http://fuvuvadut.onlinewebshop.net/lumomodojasuroke.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001216d.bin
c297aa40150efb5599df5bfddbcc2c97d85cf7271980e19cb5ab0d97d56a07e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1216D 6544 bytes
font_01_sfnt_off00013189.bin
a3bda1470841f2af2dabeda7556ea834341ce68aa406c8ecf71391c86b6fb83b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13189 3820 bytes
font_02_sfnt_off00013f23.bin
6f28b27437978b3ff2e53db7f6cf11e123ef0797cda908f68bce58e4f958313b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F23 5032 bytes
font_03_sfnt_off00015050.bin
2af85207e62b59846d93f5102221cd675e6daa322a495512c3c22eafe4052679		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15050 26868 bytes
font_04_sfnt_off00019ad2.bin
a2ff9c8662744b7d9dae372b77145fbbe7faaa19fb6ee4618fb4f612aed79d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19AD2 17488 bytes
font_05_sfnt_off0001b50d.bin
33650ba6086bb2c6629f4a473a2fa07fc2d06a45913d83fac4f44952343a391f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B50D 6264 bytes
polyglot_child_pdf_off0001d0ce.pdf
b44aa4f93483fd639c9a7502fc2dbd3961f0de7d28d63a77b06b697fe8730db9		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1D0CE 1314 bytes
polyglot_child_pdf_off0001d1ac.pdf
57a5eea65375aa661f507d03f9693e268ff02aebb53620e07b1bf05d8696e304		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1D1AC 1092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.