Malicious PDF — malware analysis report

Static analysis result for SHA-256 70dccbd6af06102a…

MALICIOUS

PDF

81.0 KB Created: 2021-05-02 14:19:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a2954de8e3c6d8259752ea5f0df1f6b SHA-1: 7766e8d34605ad68067eaa91a09ab4523e8891d3 SHA-256: 70dccbd6af06102a7087f0b553e4550f1ec6d69814ee635362edb03461e93c46
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. One of these links, 'https://resalured.ru/strik?utm_term=is+mhz+choice+worth+it', is flagged as an external URI and is likely part of a malicious campaign. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=is+mhz+choice+worth+it
    • http://fibilif.iblogger.org/bavawawoxekagiloresog.pdf
    • http://kimelaxuwivupa.iblogger.org/83088826820.pdf
    • https://nagobajega.weebly.com/uploads/1/3/1/3/131380413/vopefovotelotagivo.pdf
    • https://fowifosefudewak.weebly.com/uploads/1/3/4/6/134699900/robanulul.pdf
    • https://cdn.sqhk.co/seworani/fjidgd8/58587461938.pdf
    • https://cdn.sqhk.co/dutebevon/ihexJii/xuwofizikibojasuzetin.pdf
    • https://tadiseregofinu.weebly.com/uploads/1/3/4/7/134748358/16b466eaa717.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/17478304-69f1-49ae-8722-d37c81619c33/pewagukijotuvapidedu.pdf
    • https://d1159ab4-cbf5-42eb-897b-83a5e94cd7da.filesusr.com/ugd/536122_bfdd317c643648dfb16f5c60b682e2a1.pdf?index=true
    • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_5adad9688378481aa07edb928360ee4c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/00320178-67da-48a1-8ec7-dbec54d0d055/insinkerator_badger_3_4_hp_garbage_disposal_badger_5_cord.pdf
    • https://98350ace-7ac4-4f38-a9d9-579fdad8050b.filesusr.com/ugd/9b2d9b_d87c30130b39419db995f7c0d0dbb626.pdf?index=true
    • http://xugadizedema.rf.gd/movie_oxford_dictionary_definition.pdf
    • https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_bd58314c8d294682bbabc72cb23a6433.pdf?index=true
    • https://c69a8150-bb1e-4c46-878b-fc1622391bd7.filesusr.com/ugd/cf91d6_b19da61c792f42b7b03e3d4d4dcfde64.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0b9bd22a-6ac6-40e1-86ac-4ff73a974fdc/forgotten_realms_wiki_elf.pdf
    • https://60b161a2-b511-46bc-b48c-7ca4331f2db3.filesusr.com/ugd/34b71b_32359545c7bc4db3a526308e82ab89d6.pdf?index=true
    • http://pikimavijepe.epizy.com/55343278503.pdf
    • https://uploads.strikinglycdn.com/files/561a8c4e-dd6a-4241-a7f6-47c595e1114c/how_to_transfer_video_from_canon_to_mac.pdf
    • https://2ea9429b-0332-4ee6-bb75-ab9535b56c99.filesusr.com/ugd/e2f7e1_381ad36df0c8490394aee6d74f5337c9.pdf?index=true
    • http://setevibebevu.epizy.com/81947681807.pdf
    • https://uploads.strikinglycdn.com/files/af4bbad2-2b7b-4963-8e88-6e5cece4e12f/usmle_step_1_secrets_in_color_free_download.pdf
    • https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_5441c7c1957c4f4bac8e8241d6c630bd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd9c.bin
3775cb93164b482c7786843ce60bbf6dca16958099b742cb2f71f2af3fce6efb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD9C 4876 bytes
font_01_sfnt_off00010e24.bin
ca2c6e7a018f053b95c0e533eb17b01f0a401bab7d96b35209ca6f3b7ef0c100		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E24 12128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.