Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e5bbb2d56ed2b9a…

MALICIOUS

PDF

78.3 KB Created: 2021-03-20 05:50:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 542de40300372cedeae07ebb58b72c51 SHA-1: 7ee637c40c8bd000fe8b26907a64eb567f8b468c SHA-256: 6e5bbb2d56ed2b9a622adbabce35d719bf92c7670aa7ae321792323d39c132d4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, with one pointing to 'jumiwimov.ru', suggesting a phishing or SEO manipulation tactic. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic further support this. No scripts were extracted, but the overall structure and linked URLs point towards a phishing or malicious content delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=cast+of+beverly+hillbillies+still+alive
    • https://cdn-cms.f-static.net/uploads/4426541/normal_602dd6772c67d.pdf
    • https://static.s123-cdn-static.com/uploads/4470540/normal_6002a928d83dc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nitajosasa/manun.pdf
    • https://uploads.strikinglycdn.com/files/9b231716-d9c4-47a2-bbda-9d4464fd6680/can_you_connect_bluetooth_mouse_and_keyboard_at_the_same_time.pdf
    • https://uploads.strikinglycdn.com/files/d9118f46-4f33-46a7-8764-b4cb24c13629/dutizabulodajosikupiti.pdf
    • https://288dffde-0386-48bd-adba-b069b5f3b70f.filesusr.com/ugd/7e1b39_9433cfb006e84159adfac43892355678.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c8e0d691-efd1-4a9c-8974-59a9d8c584df/new_beauty_launches_may_2020.pdf
    • https://e26dc784-fa46-4601-9f6d-57686faaf216.filesusr.com/ugd/c66525_f674c7b289aa408890168fe087a863d0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2fb144a2-e9c0-4384-b363-4f07136ba0fa/what_causes_vertical_lines_on_tv.pdf
    • https://0fe83ef2-ed6b-4f04-a52d-31fe3c58d8d1.filesusr.com/ugd/ade4e6_ed11147f75944f9f9d11700503963369.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83e92aea-fd82-4ed2-8998-9ccae9faf7b7/why_does_my_dyson_keep_cutting_out_on_carpet.pdf
    • https://uploads.strikinglycdn.com/files/1c04f17f-1323-4e8e-86d7-b10ff78a2f51/sepenuvabarixer.pdf
    • https://uploads.strikinglycdn.com/files/571ae45e-1b51-491b-880f-d21939d48d53/16705552293.pdf
    • https://033f1a72-e514-447f-b44b-9d234b37386c.filesusr.com/ugd/f05202_937fe214054541f2baa93d24068a1bfe.pdf?index=true
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_db7b9ff58b044235832c7b9697568273.pdf?index=true
    • https://s3.amazonaws.com/pazerogasarinu/samsung_grand_prime_plus_price_in_pakistan_2019.pdf
    • https://s3.amazonaws.com/gedesisumi/ar_15_scope_mounts_vortex.pdf
    • https://fb413987-6e77-4bf1-aaa6-e97eb550fbee.filesusr.com/ugd/108936_51ad9efb045e40898ec0bf50745f1bab.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e070c096-9004-4d09-ae51-8bb73c4c2369/warriors_box_set_erin_hunter.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee80.bin
c96c84fa611da58bf09476d50777b7089cbf9570f66d1a08703891f69ce04679		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE80 5064 bytes
font_01_sfnt_off0000ffbc.bin
e1995dca1ff2103e2ff0301026b5f36befb423fcb5f368453393655ec88d8f5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFBC 13216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.