Malicious PDF — malware analysis report

Static analysis result for SHA-256 78216d6df066b8eb…

MALICIOUS

PDF

80.9 KB Created: 2021-03-29 18:31:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2e4c67caca18d4b73a405abf5da70cc SHA-1: 5e6a5f73eed7bb46795377e420c6c81a687037c9 SHA-256: 78216d6df066b8eb95b22229c662c72b683fa8fb7544bb1968229691a5f526c0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a ML classifier indicated a high probability of maliciousness. The heuristic PDF_SEO_LINK_FARM indicates the presence of a large number of external links, with the primary malicious link being http://luvatok.66ghz.com/64953008357.pdf. Another external URI, https://pelibifir.ru/wix?keyword=csun+spring+2020+classes, was also extracted. The document body is heavily obfuscated, preventing a clear understanding of its direct intent beyond linking to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=csun+spring+2020+classes
    • http://luvatok.66ghz.com/64953008357.pdf
    • https://cdn-cms.f-static.net/uploads/4373271/normal_6030259600d5a.pdf
    • https://static.s123-cdn-static.com/uploads/4366306/normal_5ff4a45558c1e.pdf
    • https://cdn-cms.f-static.net/uploads/4369516/normal_601ca5a720d8e.pdf
    • https://static.s123-cdn-static.com/uploads/4393624/normal_5fe54ae6bb101.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/616a5683-b9a4-40bd-ae87-2325b60875f7/how_to_play_gta_5_cracked_online.pdf
    • https://uploads.strikinglycdn.com/files/015cf058-71de-468c-aed4-cbe4ccc92973/how_to_use_olympus_digital_voice_recorder_vn_541pc.pdf
    • https://s3.amazonaws.com/sikuva/wuwejepipiw.pdf
    • https://uploads.strikinglycdn.com/files/8ca6e0b6-fc8c-4333-80f2-0c3fe8e704b3/tegejugutozutefut.pdf
    • https://uploads.strikinglycdn.com/files/d8eef18f-5a12-4141-bc45-1a1e2027d131/31728519146.pdf
    • https://s3.amazonaws.com/nufidibodudulad/visowufutesa.pdf
    • https://uploads.strikinglycdn.com/files/3e3622ba-0e61-4078-bb9d-474fdd6f4174/86718272896.pdf
    • https://s3.amazonaws.com/tolivajupeku/39874872642.pdf
    • https://s3.amazonaws.com/tuxutedi/74651616752.pdf
    • https://s3.amazonaws.com/xakusineba/kollington_ayinla_music_free.pdf
    • https://1e438cd7-6f3b-42ac-a97b-d13a75fa135b.filesusr.com/ugd/0c268c_afa421562e9045c1a542a94d5352eb74.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4deb155d-cf41-4343-9d69-78b90fcdcc43/wildgame_innovations_xb370_barnett_crossbow.pdf
    • https://uploads.strikinglycdn.com/files/7d653630-02d9-4298-ba18-83fc57ac1cf4/wikokibidafuvavibokojedek.pdf
    • https://uploads.strikinglycdn.com/files/917fe541-e0d0-46c3-a33f-a58f1ce9a5e0/kenazabulanuguwo.pdf
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_52c140ec250a4712ae0ebae5c5d73587.pdf?index=true
    • https://uploads.strikinglycdn.com/files/02cdc74c-2b00-42d7-8691-cfa8d16f7e9d/how_to_pair_onn_wireless_headphones.pdf
    • http://xupefezamu.epizy.com/bangalore_detailed_map.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe8a.bin
72cd649db9490f5c600af80f0aeb0141e0d1ff82bf1562006e39e0615f1c1ba7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE8A 5280 bytes
font_01_sfnt_off0001108d.bin
e69acb32da424c80beafd19cf3f53350691b1fc94fa7cc7792c2ee5d9a12ad91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1108D 11512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.