Malicious PDF — malware analysis report

Static analysis result for SHA-256 730e51ee849a0671…

MALICIOUS

PDF

77.5 KB Created: 2021-03-29 21:20:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 940aad1a7162be4cfc3ec0cc420f4efe SHA-1: 73b6aa08f9b54374412f767310952f2a25d994d6 SHA-256: 730e51ee849a0671ee1e651b0f696de9f434f60536eaf558f86a7f836ac95fdd
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains a large number of external links, with one prominent link pointing to 'https://jacksth.ru/strik?utm_term=leadership+skills+assessment+questions', suggesting a phishing or SEO spam campaign. Another heuristic identified a link farm with 30 external PDF links, including 'http://nezazujax.epizy.com/xufadotuwiloges.pdf', indicating a potential effort to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=leadership+skills+assessment+questions
    • https://cdn-cms.f-static.net/uploads/4450519/normal_6027ec0331c43.pdf
    • https://pebuzifidam.weebly.com/uploads/1/3/2/8/132815752/vureferewataz.pdf
    • https://static.s123-cdn-static.com/uploads/4365582/normal_5fdeab6b961b0.pdf
    • https://mozufidapu.weebly.com/uploads/1/3/4/0/134012608/meguvaxupenalas_jebok.pdf
    • https://static.s123-cdn-static.com/uploads/4446390/normal_5fecf988d0864.pdf
    • http://sofebitaxed.iblogger.org/39644635770.pdf
    • https://wufijoduk.weebly.com/uploads/1/3/2/3/132302847/76a579f43b5.pdf
    • http://rekugegik.scienceontheweb.net/xezivorapobidebomolemita.pdf
    • https://pusesame.weebly.com/uploads/1/3/4/6/134662227/kubodu_zatupive_ragimiledut_pomif.pdf
    • http://pidawudimo.scienceontheweb.net/animal_farm_full_summary.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nezazujax.epizy.com/xufadotuwiloges.pdf
    • https://s3.amazonaws.com/xukirizugukugi/ninuxefame.pdf
    • https://f110cc6a-49d6-427c-9ab6-a3a4d323b004.filesusr.com/ugd/9e53d4_895ebca737c742b59dd71a3a972fc548.pdf?index=true
    • https://s3.amazonaws.com/vuforewebub/denoxedoxukefopizito.pdf
    • https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_943a619db1d04b19a32b264087da4312.pdf?index=true
    • https://s3.amazonaws.com/tanikanaw/chimani_pakhar_movie_video_song.pdf
    • https://s3.amazonaws.com/mukutud/17289337856.pdf
    • https://s3.amazonaws.com/zalomi/saudi_data_flow_report.pdf
    • https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_a0e8169abd284f1a8b7a809cfe31c120.pdf?index=true
    • https://9e269ae7-c3cf-4b9f-bde2-1d9be064b7bf.filesusr.com/ugd/139869_54cf0a181c8f4c9b8c058077a4024c9b.pdf?index=true
    • https://504706c9-3a86-45eb-876a-6494ef133fff.filesusr.com/ugd/80c1db_e9d21f733aa144d9952112e15ce48e80.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f30c.bin
ebaca421c32e5e41c5a5b9f151015a61033dbcd63ecb54ee340c529c39fc51a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF30C 5332 bytes
font_01_sfnt_off00010503.bin
e6389ef757bf2c372ad452fc7d05af0103b6ec20569fde5cf41908d1ecd613de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10503 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.