Malicious PDF — malware analysis report

Static analysis result for SHA-256 62d78a2fbb1d6b7d…

MALICIOUS

PDF

82.0 KB Created: 2021-03-28 19:14:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 791d4b947a6a6c45351a7a010051835f SHA-1: 2764c44f1291315ded2303c539d77758f98d67bc SHA-256: 62d78a2fbb1d6b7ddb3d7aa82dce2a3516ef31eb4e9ed728c7ebde0cce9f54db
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting an attempt to direct users to potentially malicious websites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically classified as 'Pdf.Phishing.Trojan'. While no scripts were directly extracted, the nature of the link farm and the trojan classification implies the PDF is designed to exploit vulnerabilities or trick users into downloading further payloads, likely via embedded JavaScript or by directing them to exploit kits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=tasco+galaxsee+675x+telescope+price
    • http://sukutoxuwurif.mywebcommunity.org/how_to_fix_a_leaking_washer_fluid_reservoir.pdf
    • https://static.s123-cdn-static.com/uploads/4403259/normal_5fde9b9f036c4.pdf
    • https://cdn-cms.f-static.net/uploads/4421934/normal_601b67dee369e.pdf
    • https://static.s123-cdn-static.com/uploads/4426972/normal_60013c8c62f22.pdf
    • https://cdn-cms.f-static.net/uploads/4490974/normal_5fdafef1aebba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fazaburifug.myartsonline.com/anova_sous_vide_cookbook.pdf
    • https://s3.amazonaws.com/bokofapig/statoil_asa_annual_report.pdf
    • https://ac4cd5cf-e861-4b1b-a585-e47049f737a6.filesusr.com/ugd/843280_18c6cabd372d4d729a9cc4d921c2fc8f.pdf?index=true
    • https://ba739632-11db-41f7-a023-683a20e55d36.filesusr.com/ugd/99835b_2f426504c46640b69a1f7397a06f78a0.pdf?index=true
    • https://s3.amazonaws.com/nevovumowa/el_principito_y_la_rosa.pdf
    • https://s3.amazonaws.com/megodipewukitoj/mens_health_weight_bench_50kg.pdf
    • http://degevojorak.myartsonline.com/88898743708.pdf
    • http://fovawipemezipu.myartsonline.com/96739101263.pdf
    • https://8a6b9437-e7f2-49d7-8c24-351b272aa67a.filesusr.com/ugd/b18e4d_24defaa3decf48cb80060e029ff22d71.pdf?index=true
    • https://s3.amazonaws.com/vavapekadoliti/gafivu.pdf
    • https://ebcfae26-b4e4-4f1a-a5b2-c5bdbddc1bdf.filesusr.com/ugd/259f90_3bb83909c0c64113aa49dacd048bb527.pdf?index=true
    • https://s3.amazonaws.com/votuweroxigezog/begufenu.pdf
    • https://s3.amazonaws.com/lorugipopuxe/xewizitanaluna.pdf
    • https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_a2fff83d52054a80a065a1074ed52913.pdf?index=true
    • https://36fc1fe3-b646-4cc1-b6e9-de51469aea27.filesusr.com/ugd/3eb4bd_3511a51fee9040cf92b0a2cc20b6a681.pdf?index=true
    • https://5090c2af-253d-40c3-bfb7-942fc6db26b0.filesusr.com/ugd/0511f5_f8cfdfabd5d64e8b9ee3bebfc07be310.pdf?index=true
    • https://s3.amazonaws.com/jenisozazewubo/7_steps_of_service_restaurant.pdf
    • https://71f68c9c-1037-483c-a0ca-f268b7ddd3c8.filesusr.com/ugd/87fdc7_8f6e211ae4ad4fce8d925feba73ddcca.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de0a.bin
cb07671eebeaa4ad8c5599d63abcacc85a88c2ed77efaa387f46cea075121d2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE0A 5160 bytes
font_01_sfnt_off0000efb7.bin
86e14416196724e9e43d605a5c471d4c32213fb038a94cd4c9a079160af26d77		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFB7 11404 bytes
font_02_sfnt_off00011668.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11668 16204 bytes
font_03_sfnt_off00012b96.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B96 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.