Malicious PDF — malware analysis report

Static analysis result for SHA-256 636214490fc5ff82…

MALICIOUS

PDF

84.9 KB Created: 2021-05-18 06:16:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 199a40b3a9807459b7cdb4053d2e2c14 SHA-1: bd03557e78e9ca0a9a3b604eb7b01c04a1198d61 SHA-256: 636214490fc5ff824940a8974e9834a27e9fe48b7031020a3927d40c0d0da1d6
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of external links, many of which are SEO-themed, suggesting a link farm or phishing attempt. The heuristic 'SE_INVOICE_LURE' indicates the document's content is designed to trick the user into taking action. The primary malicious URL identified is https://jacksth.ru/strik, which likely serves as a gateway to a malicious payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=grade+a+gazetted+officer+for+aadhar+card
    • https://buwavazazaradig.weebly.com/uploads/1/3/3/9/133999961/bamisizodek.pdf
    • https://kutemipemowu.weebly.com/uploads/1/3/4/8/134860595/depew.pdf
    • https://mifopubulu.weebly.com/uploads/1/3/1/6/131637027/fukilivax-tadikiguvone-pojox.pdf
    • https://pupiwukonavi.weebly.com/uploads/1/3/2/6/132682553/0041ab952fcba.pdf
    • https://xipunozelizu.weebly.com/uploads/1/3/1/3/131382486/4940822.pdf
    • https://kekerisasil.weebly.com/uploads/1/3/0/7/130775365/8812008.pdf
    • https://bixarina.weebly.com/uploads/1/3/1/0/131069915/6b5c86.pdf
    • https://fexolemigelewi.weebly.com/uploads/1/3/4/2/134235379/sanaraxisojigax-givemo-sivivi-suzoponig.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wenobagupexekap/ripetamawexovobulimego.pdf
    • https://s3.amazonaws.com/pipaneku/bitdefender_malware_definitions.pdf
    • https://s3.amazonaws.com/veraxawewib/write_the_full_form_of_computer_viruses.pdf
    • https://uploads.strikinglycdn.com/files/83ca71a5-37c5-421b-a623-fda7dd6aa092/lord_i_need_you_chris_tomlin.pdf
    • https://uploads.strikinglycdn.com/files/083797e6-681f-4e5c-941a-18871be6ccba/body_for_life_bill_phillips.pdf
    • https://uploads.strikinglycdn.com/files/57d241a0-8b6d-46fd-8548-50d5e00d97df/how_to_get_a_vendors_license_in_miami_florida.pdf
    • https://uploads.strikinglycdn.com/files/b67e7d3e-88f0-49ad-857c-2288c8bf0b37/why_is_australia_so_unique.pdf
    • https://uploads.strikinglycdn.com/files/05b34c58-fcb6-476b-b09d-70558fe6e4da/peter_pan_and_wendy.pdf
    • https://uploads.strikinglycdn.com/files/00b0206d-4079-415b-bd6a-73e4de1eed23/tewenugokotipuluzunuv.pdf
    • https://uploads.strikinglycdn.com/files/839537f4-f277-4a04-91b3-95e9c1562eac/descartes_circle_theorem_calculator.pdf
    • https://uploads.strikinglycdn.com/files/3a69e225-5385-463e-9f3a-3dea08e37949/how_to_open_a_pet_store_business.pdf
    • https://uploads.strikinglycdn.com/files/73e3e9e8-a770-4064-9b42-0adf4ad45280/css_table_cell_width_percentage.pdf
    • https://uploads.strikinglycdn.com/files/dcc9e6cd-408d-42d7-ade1-67264b00e6e6/felarimaxugevaluxufisos.pdf
    • https://uploads.strikinglycdn.com/files/3f8537c1-674f-470c-9d9e-7a4658b7f5b1/nenekupika.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9bf.bin
34a35adc8cde27e4cdb25cf11917ce287782af47da6e9ed87b0cbbbd5f32f05e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9BF 5156 bytes
font_01_sfnt_off00010b53.bin
121a5c5e7af630f9112d8b5d75d34ad0968e65f8930b6322986433cb6e523041		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B53 10552 bytes
font_02_sfnt_off00012f78.bin
ebf689d51ed3b58778ccf7ee11078071a21d17262a377a1c882137165fc51b0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F78 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.