Malicious PDF — malware analysis report

Static analysis result for SHA-256 64331902f375559e…

MALICIOUS

PDF

95.9 KB Created: 2021-04-01 16:02:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54531975353b59041dc88164f5ab5576 SHA-1: 9620a91fa41ce03295611be1b53f2a254cdad310 SHA-256: 64331902f375559e29c1e022e8a2c341c1b50a23050b41d6cbe884fabd5043d7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified as a link farm, with one prominent URL pointing to a suspicious domain. ClamAV and ML classifiers flagged the file as malicious, specifically as a phishing trojan. The presence of embedded URLs and the overall structure suggest an attempt to redirect users to malicious content, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=gda+building+bye+laws+2018+pdf
    • https://cdn-cms.f-static.net/uploads/4375699/normal_5fe60d6ae92d6.pdf
    • https://cdn-cms.f-static.net/uploads/4382613/normal_6035f36529778.pdf
    • http://tonemisi.medianewsonline.com/effective_communication_in_business_ancient_heritage.pdf
    • https://cdn-cms.f-static.net/uploads/4392474/normal_6048505fb115e.pdf
    • https://cdn-cms.f-static.net/uploads/4479705/normal_602ca774d8378.pdf
    • http://bogipeborowe.sportsontheweb.net/nosql_database_types.pdf
    • http://xanejog.medianewsonline.com/dewaxuje.pdf
    • https://cdn-cms.f-static.net/uploads/4426954/normal_602b2e2c1825b.pdf
    • https://cdn-cms.f-static.net/uploads/4471475/normal_604eff185e481.pdf
    • https://static.s123-cdn-static.com/uploads/4420589/normal_60060523635cf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://254b3b0b-79dc-4992-827c-fd4bb3db3178.filesusr.com/ugd/f515ca_be54bece7bbe4194b547b23d5c4bda42.pdf?index=true
    • https://2eda13a9-9e0f-47dd-bbfa-a9a5028a3314.filesusr.com/ugd/61c57f_3de894b2d6874f00a9adfbbe7bb63054.pdf?index=true
    • https://s3.amazonaws.com/telasebisu/can_you_negotiate_apartment_rent_prices.pdf
    • https://7ed1f289-57d1-4e2a-9ee4-b64e0eb498cf.filesusr.com/ugd/13dc0c_f8eb38588eea465ab737818ef8273ea2.pdf?index=true
    • https://s3.amazonaws.com/votuweroxigezog/zoom_h4n_vs_h5_vs_h6.pdf
    • https://uploads.strikinglycdn.com/files/8bb9834b-0b81-462c-a45b-c1d158168ebc/playboy_bgm_mp3_song_download.pdf
    • https://uploads.strikinglycdn.com/files/26eeb9ba-ae92-4274-8f12-df61bbcdf2c1/how_to_install_sony_soundbar_with_wireless_subwoofer.pdf
    • https://uploads.strikinglycdn.com/files/bf5e4f06-57bc-4f20-92a3-5e7e7fc44671/how_to_fix_recliner_seat_springs.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102d2.bin
fd5f4f33ac405d20a0d7427aaed698f0c97513690e24828febe099eb0a1c0459		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102D2 6000 bytes
font_01_sfnt_off00011766.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11766 3720 bytes
font_02_sfnt_off000122c9.bin
62ce3b718d06107ea394c984e215fc2501e135f27815bb023cf2f952404e7af1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122C9 10212 bytes
font_03_sfnt_off00014600.bin
12881fd0a023c09a6be0e7b34e1fbebf660af434a68b4b3c5c8b7ec656655065		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14600 13492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.