Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e9cd1d561450015…

MALICIOUS

PDF

76.3 KB Created: 2021-03-22 05:07:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f3d5ed52e23e40d034ad6b84ea2b3783 SHA-1: 5d3073b1bfa03b54b0d94afc941fef65052285fa SHA-256: 7e9cd1d56145001529cea540633dd2362fe2f9ac63547858075f3aac73682d5e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are obfuscated or lead to potentially malicious content, as indicated by the ClamAV detection and ML classifier. The primary link, 'https://jacksth.ru/strik?utm_term=can+having+an+orgasim+cause+bleeding+while+pregnant', suggests a phishing or scam attempt by posing as a search result for a sensitive query. No scripts were extracted, but the PDF structure itself is used to host and distribute these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=can+having+an+orgasim+cause+bleeding+while+pregnant
    • https://sovejugi.weebly.com/uploads/1/3/4/6/134652237/gevexivub_kiwolodev_wevido.pdf
    • https://cdn.sqhk.co/legusovej/5jiggid/jiffy_lube_live_seating_chart_with_numbers.pdf
    • https://cdn.sqhk.co/pafevola/aChhgd4/62743384993.pdf
    • https://cdn-cms.f-static.net/uploads/4471484/normal_5fd0b3b6912a1.pdf
    • https://cdn-cms.f-static.net/uploads/4419820/normal_6057f5f80536f.pdf
    • https://dexidete.weebly.com/uploads/1/3/5/3/135394420/3270030.pdf
    • https://cdn.sqhk.co/dijowasedop/ijiHxoU/qte_kung_fu_masters.pdf
    • https://pazibeze.weebly.com/uploads/1/3/1/6/131636707/gilepofazapogit.pdf
    • https://static.s123-cdn-static.com/uploads/4490123/normal_5ff713b093f4d.pdf
    • https://cdn.sqhk.co/fugovigul/hLjagim/indycar_race_tomorrow.pdf
    • https://cdn.sqhk.co/lebuxexofe/fjdgfna/download_idle_car_industry_tycoon_mod_apk.pdf
    • https://cdn.sqhk.co/suxujaba/dheyhdM/descargar_adv_screen_recorder_para_pc.pdf
    • https://cdn.sqhk.co/pigajifaw/5XgceY9/judumukifizux.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_feea118a060a418aabb3e550d1936c20.pdf?index=true
    • https://06ebba1c-c738-45d4-b58d-83edbdcc9420.filesusr.com/ugd/b14caa_0e4a046d63cc49a980c5e904b778ac58.pdf?index=true
    • https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_0f30c27aee2b43a084d42da4213e8dac.pdf?index=true
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_3b12ea14b78a47b891d7699052c50ff5.pdf?index=true
    • https://9849c7ec-8b19-4b81-9a64-db2537ea7c40.filesusr.com/ugd/97b1c0_d908d81cc8ab4f849c538ad4de8c891b.pdf?index=true
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_a2b4f0a7982b409596bbdfa1ecc6cf31.pdf?index=true
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_9a3920a3799a4fd988cd1d0bee000240.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea33.bin
1730fc4bad37826fdc5aeebfb29f3412d54266880184195cf05a0207e122bee2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA33 5684 bytes
font_01_sfnt_off0000fd6d.bin
d14df03e0737ca7e94fe0183ef7a619271a361731a8bcd5b4c88a009a3f0e69a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD6D 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.