Malicious PDF — malware analysis report

Static analysis result for SHA-256 65e1ae99ad5f1b45…

MALICIOUS

PDF

103.9 KB Created: 2021-06-01 08:06:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3237394f968ad4c1bf2de95f6fffb1e2 SHA-1: ed9301489b11b543055a7b9f83850e96e871a358 SHA-256: 65e1ae99ad5f1b45f67c8da21925d6b0f381e9570a99c6ce97723ebe2ba7d5fd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results or direct users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing or trojan. While no scripts were explicitly extracted, the PDF structure and numerous external links suggest an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/pbw?utm_term=dna+structure+and+replication+answer+key
    • https://cdn-cms.f-static.net/uploads/4455876/normal_5fd85a38ad50f.pdf
    • https://static.s123-cdn-static.com/uploads/4421366/normal_5fe36a1077a9b.pdf
    • https://nuxirudeduw.weebly.com/uploads/1/3/4/4/134442083/vagases.pdf
    • https://kumigovujubexug.weebly.com/uploads/1/3/0/7/130776874/maxigivamami.pdf
    • https://cdn-cms.f-static.net/uploads/4419198/normal_604a94fa09573.pdf
    • https://cdn-cms.f-static.net/uploads/4473415/normal_600c037a96753.pdf
    • https://modotetizifoxi.weebly.com/uploads/1/3/1/6/131637555/gogabaronetuzo.pdf
    • https://cdn-cms.f-static.net/uploads/4492575/normal_605f5d487ce40.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9392f85e-6e15-4343-8f47-1a24c305ff06/libro_de_matematicas_1_de_secundaria_contestado_2019.pdf
    • https://uploads.strikinglycdn.com/files/c0b2d21b-06bd-4fe6-ae7b-2873fd9afbc1/adobe_premiere_rush_price_in_india.pdf
    • https://uploads.strikinglycdn.com/files/ff6a5f94-593a-44cd-99f8-0996fea20b6c/1863389450.pdf
    • https://uploads.strikinglycdn.com/files/08b69ebd-4ba2-42db-b19f-1a0de5c8bfe3/xudimig.pdf
    • https://uploads.strikinglycdn.com/files/3b72e399-4b1e-4591-bb95-c0ff5712ef76/weathering_with_you_watch_online_eng_dub_dailymotion.pdf
    • https://uploads.strikinglycdn.com/files/e92018a9-82f4-41e2-90ae-5d1bf29d485e/storm_of_swords_first_edition_paperback.pdf
    • https://uploads.strikinglycdn.com/files/f30c7366-0c0a-4c95-b05c-ecb84ffc417b/llano_en_llamas_pelicula.pdf
    • https://uploads.strikinglycdn.com/files/9d9babfc-e211-4146-836b-e7a1c533ca61/ejercicios_resueltos_de_energia_potencial_y_cinetica.pdf
    • https://uploads.strikinglycdn.com/files/e176d9aa-ec4f-4726-b958-cd31fa9349da/lagawureliritobivujekozo.pdf
    • https://uploads.strikinglycdn.com/files/baca029b-ee34-4bce-936d-5de7cfbf0b25/fuller_instrumentacin_quirrgica_4ta_edicin_descargar_gratis.pdf
    • https://uploads.strikinglycdn.com/files/eaf7b1e0-9043-4bec-afee-85b01448025a/what_jobs_are_available_for_art_history_majors.pdf
    • https://uploads.strikinglycdn.com/files/7a0d0b5a-1d4f-4515-b453-3c868953d722/vo2_to_kcal_min.pdf
    • https://uploads.strikinglycdn.com/files/4913a5e4-9707-400f-ba66-971f6f51a82e/43940463048.pdf
    • https://uploads.strikinglycdn.com/files/cc3f38fc-e8a1-49f3-9183-8dd3aa181a5a/monster_legends_mod_apk_unlimited_everything_2018.pdf
    • https://uploads.strikinglycdn.com/files/692b8500-9b15-4e0e-9e87-a9ab0979be89/definition_of_full_time_employee_singapore.pdf
    • https://uploads.strikinglycdn.com/files/072357b7-7acc-483a-b0a6-b6bf84349e67/teliwufumadep.pdf
    • https://uploads.strikinglycdn.com/files/ccb4b40d-cff0-4182-ad81-2b07279e34f6/xowasixinovazu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001556d.bin
f9b99a848a75d04dbe60cdd5dbe92fcd281a1a2b737e2699c5c2999d470aa64e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1556D 5324 bytes
font_01_sfnt_off000167b7.bin
a0d83d00a66684e99be461a0020b5d19f3c7ab630727cee71d45c204b063c062		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167B7 12372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.