Malicious PDF — malware analysis report

Static analysis result for SHA-256 77ce91ad2f2d1d18…

MALICIOUS

PDF

79.5 KB Created: 2021-03-17 01:54:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 386c13de8b0f61bf428d9b45c05862e2 SHA-1: 5f3ed25cc359a169667f7a5a71446bc2781f6546 SHA-256: 77ce91ad2f2d1d18d7f1f733d6f9d341c68162ebba5eda3e3624ec22c0260c56
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with one suspicious URL pointing to a potential phishing or SEO manipulation site. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=san+diego+jmun
    • https://voledepegos.weebly.com/uploads/1/3/1/4/131407008/48011e55c0b66.pdf
    • https://rixafivi.weebly.com/uploads/1/3/1/3/131380000/e972a.pdf
    • https://robugagemo.weebly.com/uploads/1/3/5/3/135304688/fukituzilakefu.pdf
    • https://jopazidavasuzu.weebly.com/uploads/1/3/2/6/132681438/vuduzo-sogawozefaw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bd32f4a9-b6a1-4693-b131-5df718ea9968/17711891210.pdf
    • https://uploads.strikinglycdn.com/files/253eb1ec-9738-4a7e-b968-bfa85c1cec4b/gavovafibupu.pdf
    • https://uploads.strikinglycdn.com/files/0f03c033-6293-44a6-bb21-3cfe58abf6d8/98689052518.pdf
    • https://uploads.strikinglycdn.com/files/9a754edc-703e-42dd-abdd-ca908389f0ab/what_to_write_on_godson_christmas_card.pdf
    • https://uploads.strikinglycdn.com/files/4873cee8-f886-4416-b3b9-1c5eed5230e2/13222131088.pdf
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_aa59ae2e39b8480493213c3a47a81eba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e2ad2d5e-2711-4862-b20c-5335a630eda9/8039647031.pdf
    • https://uploads.strikinglycdn.com/files/491ea2fa-89b9-4d7c-b430-cc7112cfcdf3/kotadogetomud.pdf
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_62a140be75134f9781dde9f197524bd4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3b8e69fe-7a9d-4bd5-a0db-53c68bd751bb/what_is_the_5th_p_in_marketing_mix.pdf
    • https://uploads.strikinglycdn.com/files/2873dbbe-710b-44ca-b750-4694ad3f7109/xegaxesalodida.pdf
    • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_f2de39367d334d3394884976c79a6e90.pdf?index=true
    • https://uploads.strikinglycdn.com/files/93fb2f65-2c3c-4a42-922d-eaf2edf8afe2/14616999732.pdf
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_f249544146dd49039f80f5b2d1f11358.pdf?index=true
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_5c8d38bc911745458372c29a85bd8359.pdf?index=true
    • https://uploads.strikinglycdn.com/files/000c0ab4-fcfb-42dc-8403-0b8da1ac02ca/93352371642.pdf
    • https://uploads.strikinglycdn.com/files/70f8c476-aea3-4095-add9-4773f7c98c75/patterns_of_world_history_volume_1_3rd_edition.pdf
    • https://a581e706-3bf6-41fb-8978-ad4d4077590d.filesusr.com/ugd/afbe6b_81c71eb372944a59953229a272c2b5a3.pdf?index=true
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_e9323c3935f341b892833ffe2acb9ffe.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f827.bin
fbc3e5fe2cc332f22d3ec6981aafab7bfe58e457bba8953eb1fce1fe9759d9da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF827 5016 bytes
font_01_sfnt_off0001092f.bin
393f22d65684be0eb2334d4a71734f6eaae23a728084e9e215ae687862469d6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1092F 11708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.