Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b01a5790c21bba7…

MALICIOUS

PDF

84.9 KB Created: 2021-03-29 04:51:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64d1b687ce8216c2733089e8396054f4 SHA-1: 37fe87975130cb20ac6b72967815f8f6e013aa9f SHA-256: 7b01a5790c21bba735e0cb45a5e5c58803386413220b7acd0c165519f95b54f2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for link farms and phishing sites, as indicated by the PDF_SEO_LINK_FARM heuristic. The embedded URL 'https://mezovuduw.ru/award?keyword=medical+certificate+for+casual+leave+pdf' suggests a lure related to official documents. ClamAV detection and ML classification confirm its malicious nature, likely as a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=medical+certificate+for+casual+leave+pdf
    • http://fanogizakelime.iblogger.org/6050154078.pdf
    • http://manekobe.22web.org/vubogale.pdf
    • https://cdn-cms.f-static.net/uploads/4409806/normal_604ce2b856188.pdf
    • https://cdn-cms.f-static.net/uploads/4488806/normal_6052b1343f8d5.pdf
    • https://cdn-cms.f-static.net/uploads/4382004/normal_602a061361335.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d427386d-3434-45d9-8802-370857a594f4.filesusr.com/ugd/accd1f_45f0ca03b5ce408ba84f3351af77a6bb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/489d766d-d1c6-4de9-8776-901ba07df2c1/85089834258.pdf
    • http://dulizarunagisu.epizy.com/45917186586.pdf
    • https://uploads.strikinglycdn.com/files/c5bc1ed1-285f-446f-97c7-4723e98aaa6d/who_is_the_ugliest_kpop_girl.pdf
    • https://uploads.strikinglycdn.com/files/a77800e7-f3fe-4220-a346-7f19b81491b1/air_fuel_ratio_sensor_and_oxygen_sensor_the_same.pdf
    • https://uploads.strikinglycdn.com/files/56b3e81e-18b3-4cbf-b983-4b2103e78910/pesudimosomuvixodo.pdf
    • https://uploads.strikinglycdn.com/files/0cb8a839-39ef-4a2d-a3f8-7edae40ef290/luzetama.pdf
    • https://uploads.strikinglycdn.com/files/7cbbb0cf-318a-452b-89cb-783dd57e467c/95128761102.pdf
    • https://s3.amazonaws.com/gofiguj/lamborghini_advertisement_video.pdf
    • https://uploads.strikinglycdn.com/files/269b3005-9712-4ad6-b5d5-dca8e7a5433f/who_is_the_richest_asian_in_la.pdf
    • https://s3.amazonaws.com/fapaga/20837126438.pdf
    • https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_20d6e3a5d93d409097705e2511daffa0.pdf?index=true
    • https://9fbeb193-358d-48fe-b9d9-45f8b63f6b3c.filesusr.com/ugd/ab67b9_cfce83bed0694f0790099e39d15b8782.pdf?index=true
    • https://uploads.strikinglycdn.com/files/13dba7bd-d465-4c47-a164-fe1a182effaf/majune.pdf
    • https://uploads.strikinglycdn.com/files/87ed2104-4529-4b95-9225-04e0240824be/kigajapixir.pdf
    • https://aece7fbc-7072-4055-9cfa-29e0da41b620.filesusr.com/ugd/e878fd_6c33636ac14540af876d0e7429eb1e8c.pdf?index=true
    • https://s3.amazonaws.com/fonibinaraj/radowabuzemifo.pdf
    • https://s3.amazonaws.com/jewizopukuni/woxodezo.pdf
    • https://uploads.strikinglycdn.com/files/d353811d-3000-48e5-bc83-2b770429d34d/is_the_uglies_going_to_be_a_movie.pdf
    • https://4f0754e2-f0c4-47db-826b-83042027646c.filesusr.com/ugd/7a11b0_6b623e81aa554d12b293a5b52c92b39a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b98.bin
688e6afa3e8bcf6b5a3d8acfbae93a423babb63280cf82d7f8f388bed490ddab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B98 5212 bytes
font_01_sfnt_off00011d7a.bin
840d9f8fd2033d3888e086b495be468a9bc5d52188732ed61ed978adab7d7db2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D7A 11272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.