Malicious PDF — malware analysis report

Static analysis result for SHA-256 633772413df50a67…

MALICIOUS

PDF

65.3 KB Created: 2021-02-23 08:35:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63b8777d0a53246eb17e61deb99be580 SHA-1: e38b56c0b95810080a8915d1bf07c59557bb93c0 SHA-256: 633772413df50a67064fa2be15340c4c2ff30f3d0778420db172351c49f17f13
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to other PDFs, suggesting a link farm or SEO poisoning tactic. One prominent URL, 'https://leonvi.ru/123?utm_term=do+grapes+help+fight+cancer', is embedded in the document body and likely serves as the primary lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/123?utm_term=do+grapes+help+fight+cancer
    • https://fofifakexetag.weebly.com/uploads/1/3/4/3/134345684/gajutiwizusozo.pdf
    • https://jazigibebegada.weebly.com/uploads/1/3/1/6/131606339/d6f0976fc835e30.pdf
    • http://diposiz.iblogger.org/1020959317.pdf
    • https://cdn-cms.f-static.net/uploads/4375340/normal_60315e93a1487.pdf
    • https://dufavepuxafolim.weebly.com/uploads/1/3/4/2/134266173/c32fcf1.pdf
    • https://static.s123-cdn-static.com/uploads/4379222/normal_5fe1d6887c4c1.pdf
    • https://cdn-cms.f-static.net/uploads/4426971/normal_601957d8d99bc.pdf
    • https://sojenumodab.weebly.com/uploads/1/3/5/2/135296615/levavi_sewijob_goruratewaseziv.pdf
    • http://muwawukiseka.iblogger.org/dcdee_staff_training_worksheet.pdf
    • https://mirajaxudedina.weebly.com/uploads/1/3/0/7/130775596/5088457.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pulavokaxe/domande_imbarazzanti_yahoo_answer.pdf
    • http://rimiwomo.epizy.com/42299745120.pdf
    • https://s3.amazonaws.com/levovod/fade_animation_android_kotlin.pdf
    • https://s3.amazonaws.com/bugutaj/worksheets_for_grade_1_spelling.pdf
    • https://s3.amazonaws.com/dinigugaxej/mitosis_coloring_worksheet_answer_key_biology_corner.pdf
    • https://s3.amazonaws.com/xomudufe/bein_connect_app_android.pdf
    • https://s3.amazonaws.com/gulapore/89404608968.pdf
    • https://s3.amazonaws.com/xoguwavosuje/lozinajesurilurevupi.pdf
    • http://musarozopod.rf.gd/fozebozuzofekafa.pdf
    • https://s3.amazonaws.com/bevarolimesale/puffin_web_browser_for_android_tv.pdf
    • https://s3.amazonaws.com/jupudizadid/tonotarozekot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c2a6.bin
4274c9732c99d52d4f7f415c9b94fbef99d78f696e694026371985be52a19411		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2A6 5276 bytes
font_01_sfnt_off0000d49d.bin
2f6a28890c6793e80b64ba4b0e44ce8d2e9db6c796d3223277b57f0597d2fea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD49D 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.