Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e9cac2bebb81c58…

MALICIOUS

PDF

75.7 KB Created: 2021-03-31 06:09:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad2992fa17f5476aac44d7d91e1a95d5 SHA-1: 1ee8bf0dc8f8db7053f8854791884f7aa425bc66 SHA-256: 6e9cac2bebb81c588bd074b056a3b4bc2c136c029419b23c51bfa210a35bccc2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The primary URL suggests a lure related to educational content, likely to trick users into visiting malicious sites. ClamAV and ML classifiers confirm the malicious nature of the PDF, indicating it's likely a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=3d+shapes+nets+worksheet+pdf
    • http://jorowijedo.mywebcommunity.org/29751796930.pdf
    • http://retapadu.medianewsonline.com/antonio_gramsci_espaol.pdf
    • https://nepibosumu.weebly.com/uploads/1/3/4/3/134363752/6011026.pdf
    • https://fixefukazadutux.weebly.com/uploads/1/3/1/6/131607703/nipixoti.pdf
    • http://vijofudevadotar.mywebcommunity.org/deficiencia_de_vitamina_b12.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://550dfcec-0280-4316-a0d5-68b74a7a20b9.filesusr.com/ugd/f59309_ca2e9af7e73b496bb06ba0c758f5e8ef.pdf?index=true
    • https://s3.amazonaws.com/wivunonovef/vusadibibonewu.pdf
    • http://motuvogipe.onlinewebshop.net/job_application_format_in_english.pdf
    • https://e97408dc-4b05-4e3b-9f19-f4127feb49ef.filesusr.com/ugd/a42eed_5a9d545744b24de0ae7d164e7a41f7a9.pdf?index=true
    • https://s3.amazonaws.com/rurosaveruk/appointment_book_template_2018.pdf
    • https://535f918c-e50e-4760-9dbe-4b22a9cc1357.filesusr.com/ugd/65883d_47dd74c231fd461fa6c65a1663368d6a.pdf?index=true
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_fd092f06148e4b709f7f40f721c0052b.pdf?index=true
    • https://af1bea64-f5cd-41c2-a7c1-97f21c1aa057.filesusr.com/ugd/592671_aea79032561d4049931ab0dd9a7adb2e.pdf?index=true
    • https://s3.amazonaws.com/sefiwegegagu/2006_honda_civic_reset_oil_light.pdf
    • https://s3.amazonaws.com/xotomisen/37747885907.pdf
    • https://944456f3-75eb-4cd6-bbfd-656b3713ada1.filesusr.com/ugd/2c8d66_2d1c45704890478cb40897cf9ee53bd2.pdf?index=true
    • https://e2604e0b-f95a-4acb-b53f-a7db3827b2a1.filesusr.com/ugd/225520_6639e91992d944c8a40b37b9d2d73ebb.pdf?index=true
    • https://ee42ee57-4547-4a8c-8a66-6cccb7f6869d.filesusr.com/ugd/2a9ad2_115df92834104de698616e6f9f4af85a.pdf?index=true
    • https://a867a740-3546-49c9-bb92-c76f735cad7e.filesusr.com/ugd/c312ff_a084b01da1df465f8227db8ce40537ed.pdf?index=true
    • https://2ea3657d-1c4c-40dd-8491-58aeeb8dc933.filesusr.com/ugd/18a85a_e416216b6bb544c0b62aa20ad31be8d2.pdf?index=true
    • https://37dcb74a-b492-4e6c-94d7-6984b04a3d7f.filesusr.com/ugd/01eaca_d19b52b09b19422e8c32f669536e20d5.pdf?index=true
    • https://95a83a18-022f-4aa5-9dc2-588eac4c5c4a.filesusr.com/ugd/ccb6ab_fd01498dbf184113ab643ed307d9e82b.pdf?index=true
    • https://a22c3535-4c29-4f26-bf6b-1e631d3648e5.filesusr.com/ugd/28986c_90964de42f94433ea6f90e5f373ff903.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eae2.bin
5f5a595c5ce7a2d87bc84b4ee559aa22350e3d2caef727f08c02b6e05c8abdd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE2 5320 bytes
font_01_sfnt_off0000fd06.bin
85b96bc481f066e3228defc7c9bccd6f7b77283652ad28aa48347a1d385edac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD06 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.