Malicious PDF — malware analysis report

Static analysis result for SHA-256 7465cf8becf4b4ea…

MALICIOUS

PDF

79.2 KB Created: 2021-05-27 01:22:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 066a7f01c2acbe52918c138d41eee474 SHA-1: 051aebcdd081b3653695cdcdf6db82005d4cf1be SHA-256: 7465cf8becf4b4ea4d91c32f622f65fe78edd7505e0e2722f8995f75c28be4c6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating high maliciousness. The PDF contains a large number of external links, many pointing to other PDF documents, suggesting it's part of a link farm designed to distribute malicious content or phish users. The embedded URL 'https://xajibur.ru/wb?keyword=how%20to%20move%20up%20the%20emotional%20guidance%20scale' is a primary indicator of this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wb?keyword=how%20to%20move%20up%20the%20emotional%20guidance%20scale
    • https://pozopili.weebly.com/uploads/1/3/4/3/134310053/3832006.pdf
    • https://static.s123-cdn-static.com/uploads/4391915/normal_6002e1d158325.pdf
    • https://cdn-cms.f-static.net/uploads/4373769/normal_601bc97b611e0.pdf
    • https://cdn-cms.f-static.net/uploads/4422163/normal_601457847ab17.pdf
    • https://cdn-cms.f-static.net/uploads/4497095/normal_60439128cb1dd.pdf
    • https://static.s123-cdn-static.com/uploads/4484632/normal_60000fe7a26ea.pdf
    • https://riwurarelix.weebly.com/uploads/1/3/4/4/134484082/sokukejujosoj.pdf
    • https://puvovajol.weebly.com/uploads/1/3/4/0/134040332/jafolobod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/51a39e06-f92e-4e85-a1a4-58ad2494e490/alice_in_wonderland_down_the_rabbit_hole_movie.pdf
    • https://uploads.strikinglycdn.com/files/15d99a41-ae98-4e4e-89c7-84a8d959b5a2/olivetti_lettera_32_ribbon_australia.pdf
    • https://uploads.strikinglycdn.com/files/6ce97d08-4ecb-40d8-b699-e732c01cc0c8/24487051262.pdf
    • https://uploads.strikinglycdn.com/files/6079e2eb-5b22-4a4b-a816-80d9d33853ae/best_online_booking_app.pdf
    • https://uploads.strikinglycdn.com/files/fecdc8d3-01c9-4085-926e-abbc3c301d0f/16768399899.pdf
    • https://uploads.strikinglycdn.com/files/66cc4967-2949-481a-96d7-6ef06e92033a/are_subway_oatmeal_cookies_healthy.pdf
    • https://uploads.strikinglycdn.com/files/5d8ca0b4-229e-4601-baf5-80b0f21d45ec/the_disaster_artist.pdf
    • https://uploads.strikinglycdn.com/files/9b098944-f6aa-43b7-aaeb-65b35143a61f/yamaha_f250_shop_manual.pdf
    • https://uploads.strikinglycdn.com/files/39a597d3-27af-483b-b2bb-670a2c5670db/avast_30_days_trial_free_download.pdf
    • https://uploads.strikinglycdn.com/files/e70f5289-32f4-4b79-b1d0-c6a8730838d8/gisesil.pdf
    • https://uploads.strikinglycdn.com/files/655a0094-d009-40ed-bbc4-23952de5d5ab/mivafiloziwe.pdf
    • https://uploads.strikinglycdn.com/files/9282ba05-a2db-45fa-813e-65015a9dd31a/jozogovakerenuzokoregivup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8e1.bin
f68f8561438646eea7b1e0bc42a61625bab633e2ebf2714f9156a1f7bafa7d6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8E1 5388 bytes
font_01_sfnt_off0000fb25.bin
216740d83a5e0c7a33933cc38e750048f6b08eb5fcb532e8b6cbb0c761eedbe0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB25 10680 bytes
font_02_sfnt_off00011f70.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F70 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.