Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f61171456ab3ffb…

MALICIOUS

PDF

86.2 KB Created: 2021-03-20 11:01:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb84a1cd8f01da3af1f62fa12050e615 SHA-1: 71538324d297e9f2f7dbe707a22a2cea21e15733 SHA-256: 6f61171456ab3ffb7c9ca503c4e1e2eb83dcf3a7383ea0f7bebecb2e011df0e7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, as indicated by the PDF_SEO_LINK_FARM heuristic and ClamAV detection. The document body, though heavily obfuscated, suggests a lure related to 'basics of computer pdf for competitive exams'. The presence of embedded URLs and the ML classifier's high confidence score further support a malicious classification. No scripts were extracted, but the overall structure and link farm suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=basics+of+computer+pdf+for+competitive+exams
    • http://supsun-aero.com/839940091886xlq4.pdf
    • http://omerkatanalp.com/descargar_media_player_classic_para_android1gaeg.pdf
    • http://cosmicgig.com/pavupibijoviletefetegijafmwbi9.pdf
    • http://kupiokno.su/55693200332nlc3v.pdf
    • http://cheeronthemove.store/pileluwal3nsmt.pdf
    • http://stingeksoj.online/livro_adestramento_de_cesy3qab.pdf
    • http://bluetea.space/66081103108c7cgl.pdf
    • http://mx50off.pro/97748024587md1qi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/175d3161-0ca4-47dd-8d49-2ba943e4ad27/ed_sheeran_over_the_castle_on_the_hill_chords.pdf
    • https://e57d8632-f742-4524-ada6-9cdf759d9f13.filesusr.com/ugd/b0cb2d_44825b812ffe4550ac889914fcc31ee0.pdf?index=true
    • https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_279277a7b9a44074b7a445b36dc71d8e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9d0b82a6-1fd8-4a81-a65c-02e887bcb143/america_the_story_of_us_episode_3_summary.pdf
    • https://f06ae689-34e6-4fd9-b749-a5985747e370.filesusr.com/ugd/4117a9_c446e76ca98445ea8f15282bcc8709d1.pdf?index=true
    • https://c1d61d78-9bae-425c-b347-ee91470fe4f1.filesusr.com/ugd/60933b_4ce5d693b77e44ecb77c447438bf142e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b675c56-52de-4762-9c18-9403f90f593b/gabizikevowidegenofibig.pdf
    • https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_33ef1f4c869a4dda9551b1a201f0802c.pdf?index=true
    • https://97a45c9e-1ab5-462a-bfe2-fded34b9a8b9.filesusr.com/ugd/b50c55_bbd0180e8a234b479e3dc55f5dda48aa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/70f10e16-cbc5-4c1b-bed1-8d44984fbd49/dave_ramsey_total_money_makeover_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/d39bc19d-8613-46e7-959d-7ed5e159f639/how_to_crash_a_stock_market.pdf
    • https://c6b89c2f-dc7d-490d-a648-077c51828da9.filesusr.com/ugd/29ab01_ad617f779f5c4b6d8d32ce6a74da0d86.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83af9519-5b6b-4dc3-8f19-a5530d7bb408/6208673255.pdf
    • https://uploads.strikinglycdn.com/files/f1912db9-77fc-4b75-a4c7-76184d9c8ded/how_to_use_an_ab_lounge_sport.pdf
    • https://uploads.strikinglycdn.com/files/ad18225e-bb97-4cc2-a641-0cab43cbcac1/sas_proc_univariate_histogram_y_axis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f266.bin
49ab36520f670bdad1f0d6c05fdd922bcee2c80039c8c0ec7aaf97f70ee559d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF266 5448 bytes
font_01_sfnt_off000104e4.bin
b6d985b3e01b7647fbe1c438a8fe5a990a9bd637fe004f6621092c2f115ed11e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104E4 10952 bytes
font_02_sfnt_off00012a39.bin
9853a4a918762215dfcba51349555ff48d39e56332efe18e2f333ca30d8a5b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A39 16096 bytes
font_03_sfnt_off00013f3f.bin
a12908a88df35a7e9eb57470e9a94a806bb52df392ce88a62d07cba2b79b9044		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F3F 2832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.