Malicious PDF — malware analysis report

Static analysis result for SHA-256 6990570141479665…

MALICIOUS

PDF

92.7 KB Created: 2021-03-20 10:56:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6baa61af0beabf8ec27b6abf3af189d8 SHA-1: 30e902aa0dc5e2e7e5ce8655899386a7d6e710b5 SHA-256: 69905701414796654232a1852d72449c39c197f471a73db245690ec44fbdbba2
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are part of a link farm designed to improve search engine rankings, a common tactic for distributing malware or phishing sites. One prominent URL, 'https://pelibifir.ru/wix?keyword=titanium+backup+pro+key+%25E2%2598%2585+root+1.3.0+apk+free+download', suggests a lure for pirated software. The presence of ClamAV detection and ML classification further supports its malicious nature. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=titanium+backup+pro+key+%25E2%2598%2585+root+1.3.0+apk+free+download
    • http://gawoxubut.22web.org/wibifafu.pdf
    • http://xuforixek.22web.org/general_science_biology_mcq.pdf
    • http://tapabafana.22web.org/dusuvovukaru.pdf
    • http://gopefafapojawod.iblogger.org/74523018674.pdf
    • http://piruzinomezobif.22web.org/palkia_pokemon_go_raid_guide.pdf
    • http://skidki-day.site/how_to_get_my_system_ip_address_in_php7n7x4.pdf
    • http://iglivesupportteam.com/buvuremanefibapawapovjqf2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dejazuvorira/ada_diabetic_ketoacidosis_guidelines_2018.pdf
    • https://7c5e2310-e79b-429e-9f4a-70471a43dcce.filesusr.com/ugd/8ec1ef_e69dcb48a7824031a439cf541d6cf208.pdf?index=true
    • https://s3.amazonaws.com/kujesulad/retuvobinibav.pdf
    • https://s3.amazonaws.com/nuruvapozixix/6804240785.pdf
    • https://s3.amazonaws.com/wazorixekunafob/ocr_a_level_chemistry_kerboodle_answers.pdf
    • https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_5166f874f9fc4ca5a843885bf7089544.pdf?index=true
    • https://s3.amazonaws.com/pugomonapoxuxe/zukaluvobujewanexusutaxil.pdf
    • http://sedilipabowarad.rf.gd/7551758771.pdf
    • http://tituroxir.rf.gd/94569828206.pdf
    • https://0443db59-9f9d-4031-b786-8a5723798135.filesusr.com/ugd/ab62d6_b4d78e8fcc7540c8898083d3048de426.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eec8.bin
4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEC8 2960 bytes
font_01_sfnt_off0000f938.bin
27a4bf2bc531a63676af306e5c5a153a27d28efee0a393e0b16bb9044536a0b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF938 5860 bytes
font_02_sfnt_off00010d3b.bin
4949ac2a911cd39e7bceec9f16233f63c4c030a35446b3f2436b3084b8ac221c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D3B 12512 bytes
font_03_sfnt_off0001367f.bin
2d18798460508318b4a58b0b9070d6af1403c503f80dee89d77f71912f236590		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1367F 16140 bytes
font_04_sfnt_off00014b96.bin
e0789c783428e9f7180f4359992defe68327d6bc23e72754ecd2fb8aa352a682		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B96 16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.