Malicious PDF — malware analysis report

Static analysis result for SHA-256 7310b11d581bb9c9…

MALICIOUS

PDF

70.0 KB Created: 2021-03-25 04:56:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5432ecee39a94ea68cc93d8695780e20 SHA-1: b64e7885ba372689aada93f89a4acb09b46e9a6d SHA-256: 7310b11d581bb9c96a64badb16b742f2912a56d4cef55aad74a7373cf2b7ea0c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was detected as malicious by ClamAV and an ML classifier, and it contains a large number of external links, many of which are to PDF files. One of the primary URLs, 'https://midufefew.ru/aws?utm_term=william+bolcom+plays+graceful+ghost+rag', is suspicious. The PDF structure and embedded links suggest a phishing or SEO manipulation tactic, likely intended to lead users to malicious sites or to improve search engine rankings for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=william+bolcom+plays+graceful+ghost+rag
    • http://jumpfs.space/9717896386057sas.pdf
    • https://cdn-cms.f-static.net/uploads/4461766/normal_5fdba8db454e7.pdf
    • http://sethel.xyz/90394503668bqoxf.pdf
    • http://tuwukadinem.mygamesonline.org/77496532.pdf
    • https://static.s123-cdn-static.com/uploads/4458618/normal_5ffdfb8605d41.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0bb8d005-cf4b-4680-9e06-0f5d548fdeac/what_is_a_behaviour_management_plan_bmp.pdf
    • http://damowepoko.myartsonline.com/where_is_midwest_located_in_usa.pdf
    • https://f4dd034e-00c7-465c-b850-fb2d75accad5.filesusr.com/ugd/769f78_e3c13317598c49a0815a1227cc6adbda.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d8a94b7f-9493-4951-8ee9-47faa419bd3b/95683854216.pdf
    • https://f3dbd103-cf2f-44fc-b0ad-c9004dc38af2.filesusr.com/ugd/1f2646_30cba453399a463aa267ae8dde7d7176.pdf?index=true
    • https://uploads.strikinglycdn.com/files/22c35821-7d43-4315-bc07-c32682b9976e/how_many_carbs_does_wendys_chili_have_in_it.pdf
    • https://uploads.strikinglycdn.com/files/62f18ce4-2c69-4f9a-bf92-c93511c4a0be/total_gym_1500_workouts.pdf
    • https://uploads.strikinglycdn.com/files/5c61276b-a8a0-41a9-827d-ca92149c42e7/2006_chevrolet_equinox_lt_4d_sport_utility_reviews.pdf
    • https://71da2aa5-51c3-4f2c-ab18-08bbbad20131.filesusr.com/ugd/d216cb_810b353f44ac45c1aa9f29dd47e89d03.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3e9cc6f6-2b74-4f7e-a592-3d661ec163d2/86376036659.pdf
    • https://uploads.strikinglycdn.com/files/97d207bd-ef5c-446d-b977-9cce8a0d8653/toro_ultra_blower_vacuum_mulcher.pdf
    • https://uploads.strikinglycdn.com/files/61daf68a-32d2-475c-97dd-863d00f2039a/glencoe_geometry_chapter_8_study_guide_and_review_answers.pdf
    • https://2e03c77f-99cc-4591-9807-54d8d49c9ce6.filesusr.com/ugd/759733_81dc21742b0e46f5b4504f85811948da.pdf?index=true
    • https://3b87a2b8-2d13-4e6d-acc4-cbba57692a59.filesusr.com/ugd/50988c_dec47e4e8ed7491787a8797a6fd38d31.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4799faba-3945-4c1a-ac3f-f79c5cc40155/piraxosizubudifipewerox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d184.bin
17aea23a2f0af7bea72ae5408636eb85fe25708d99893795884e9c31297288e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD184 5684 bytes
font_01_sfnt_off0000e4c0.bin
713f37f2d81b658d5c7843411d16f435209cd363f09b15da011bc22f63daf080		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4C0 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.