Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fd423f592c3c32a…

MALICIOUS

PDF

76.5 KB Created: 2021-03-30 07:07:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c522c05fdeddce2d6c9145f3c2791fa SHA-1: d0543c7dc0f52e9332c61668598912a649664426 SHA-256: 6fd423f592c3c32a48323bc80614ec5ff3f91a0b3dae2a42387490df798e2675
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file, generated by wkhtmltopdf, contains numerous external links, with a significant number pointing to Weebly and Strikingly hosted PDFs, suggesting a link farm or SEO manipulation tactic. One prominent URL, 'https://soxebez.ru/wix?keyword=what+is+salinization+in+agriculture', indicates a potential phishing lure disguised as a search result. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=what+is+salinization+in+agriculture
    • https://sigogaxeba.weebly.com/uploads/1/3/4/6/134620414/zonazujup.pdf
    • https://murarukaxew.weebly.com/uploads/1/3/4/6/134666391/noxesisizupewu.pdf
    • http://vusikudezewoteg.iblogger.org/what_do_motor_speech_disorders_include.pdf
    • https://dugezuwodovapa.weebly.com/uploads/1/3/0/8/130874298/ff50cea.pdf
    • https://lujuvikib.weebly.com/uploads/1/3/1/4/131406806/5801343.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c2b2e83b-6fd8-440c-87a0-d1b47b3173e4/wamomufaxikirig.pdf
    • https://uploads.strikinglycdn.com/files/8c9c28cf-50ef-4e9c-aa2c-a94dc0c1a3de/togofotizerifinizudo.pdf
    • https://uploads.strikinglycdn.com/files/b31f08cf-8e86-49c5-b318-1a0c9106bda6/23719072791.pdf
    • https://s3.amazonaws.com/poresi/napuxisajuniv.pdf
    • http://xefezude.epizy.com/past_perfect_continuous_tense_exercises.pdf
    • https://uploads.strikinglycdn.com/files/920c3d68-9d38-4f60-9a66-45ee2d847fe4/vulofifugesurakezilawovi.pdf
    • https://s3.amazonaws.com/bizamesuwepe/scintillating_adjective_form.pdf
    • https://75e6061f-eb7a-4ce8-b546-077bf96366c3.filesusr.com/ugd/2dfd19_dad92fc3500b42109cefeba747062ff4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/12af87dd-dcb0-46b8-8682-7de83d01df0a/mcat_practice_exam_free.pdf
    • https://5c06e36d-e6a7-492f-989e-88f86e9ca1b1.filesusr.com/ugd/c9ae65_5e7aabcc878843e88a4a8791d90590a8.pdf?index=true
    • https://s3.amazonaws.com/napoledunadigo/nda_set_b_answer_key.pdf
    • https://s3.amazonaws.com/ragejufa/51460664675.pdf
    • https://s3.amazonaws.com/bezorito/anand_telugu_full_hd_movie_free.pdf
    • https://c7fb3737-a2fb-4e06-b71d-f78b648bb0a4.filesusr.com/ugd/a9248e_5d58782d86d94081845f30ec04c75757.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7e336fdb-a978-4211-a8cb-845de6eb56f8/juwexefu.pdf
    • https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_179808a879cd4a83ae6b20acb2cb8347.pdf?index=true
    • http://lexireto.epizy.com/zipageba.pdf
    • http://pimutanimodeme.rf.gd/uc_ship_waiver_answers.pdf
    • https://uploads.strikinglycdn.com/files/836cd2c5-5dd4-4eeb-a297-82f141dc033d/sililimesagu.pdf
    • https://uploads.strikinglycdn.com/files/b6a47cfd-bc40-445a-a11f-ddd32f539641/can_you_use_a_chromebook_for_writing.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee91.bin
54cc031d2bb802c11843e0c825e97a69540e84af6c3c07c2a295af158bc39814		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE91 5124 bytes
font_01_sfnt_off0001000d.bin
d40bcf64c569cc7d5b792d1caddb4e35d53558d09ccc98608d4bbca9e6637f28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1000D 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.