Malicious PDF — malware analysis report

Static analysis result for SHA-256 7007d691cdc1a2f3…

MALICIOUS

PDF

87.5 KB Created: 2021-06-05 09:57:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ba44208c2cb0b41560a01799c827d4a SHA-1: 51d8e8fe447e022845f8970fc290774dcac431d6 SHA-256: 7007d691cdc1a2f376b65074d00a44fe8f2510e72cec16b894552de170fc83f5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan payload. It contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results. The primary malicious URL identified is ketchas.ru, which is likely used to host or redirect to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=why+is+my+polaroid+onestep+2+not+working
    • https://nigizamizu.weebly.com/uploads/1/3/4/3/134319440/03ce6.pdf
    • https://bikawinudom.weebly.com/uploads/1/3/4/5/134595305/5594791.pdf
    • https://vesepuzimimewij.weebly.com/uploads/1/3/0/7/130776402/3809814729.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8d1ffc7c-7fce-47ff-8f3b-8ba52e11add3/deminamasu.pdf
    • http://vowujepojez.pbworks.com/f/what_forms_do_you_need_to_transfer_a_car_title_in_texas.pdf
    • https://uploads.strikinglycdn.com/files/c1272d6b-c64a-4070-8c5d-8200c9b29be2/twilight_movie_2012_download_in_hindi_filmyzilla.pdf
    • https://uploads.strikinglycdn.com/files/0772dacd-1664-4414-bfd3-196c093dd879/jipopaxekir.pdf
    • https://uploads.strikinglycdn.com/files/70a68350-d66f-4450-bcd5-0dde7a059bd4/patotubefobumakuwir.pdf
    • http://bolejagum.pbworks.com/w/file/fetch/144650676/where_to_stream_the_andromeda_strain.pdf
    • https://uploads.strikinglycdn.com/files/9fb5d6f4-3a84-425d-bac2-18b41d1c04ef/how_long_do_toyota_transmissions_last.pdf
    • https://uploads.strikinglycdn.com/files/c4e2bb71-d3e3-4348-88b2-e4ef595a3470/the_innovators_dilemma.pdf
    • https://uploads.strikinglycdn.com/files/3eaa1198-0e84-41db-bbe1-00bfd3987583/bilewafobejakodizusiweg.pdf
    • https://uploads.strikinglycdn.com/files/76cbff1c-b884-452c-ba26-1bc1ea729bb8/78871217119.pdf
    • https://uploads.strikinglycdn.com/files/674dccde-3633-4b0d-8994-d2986267e251/what_is_manual_defrost_on_freezer.pdf
    • https://uploads.strikinglycdn.com/files/294f749c-9dc1-4db8-8581-9b2fa8b4bc47/86837696953.pdf
    • http://sijomirurefi.pbworks.com/f/64411802029.pdf
    • http://pebegijopolo.pbworks.com/w/file/fetch/144531939/server_para_http_injector_bitel.pdf
    • http://lekuzax.pbworks.com/w/file/fetch/144418743/romudipakiximakosari.pdf
    • https://uploads.strikinglycdn.com/files/54bb3dcd-335a-417b-bce8-9df091a101cb/rare_human_diseases_list.pdf
    • http://katafuzum.pbworks.com/f/semipugizuzibos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001141b.bin
2c11582ab0d6c4a6f96d9f6152cefe56248129bff2653b7146c306d217e8eef1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1141B 5776 bytes
font_01_sfnt_off000127bb.bin
4256e537d35be30747e4215a0803a75a1c44567ab297736a93a53ac752a5b374		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127BB 12088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.