Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fdb38485843aa32…

MALICIOUS

PDF

93.0 KB Created: 2021-03-14 11:09:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6dc7a979fc58c6f20f540f295a64a068 SHA-1: 908a54218bd2d2974d8f57367fc5df13fe9dc874 SHA-256: 7fdb38485843aa32ce24a932aea43376e0b094fd47c19581510b2a918b9f123f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. The primary external URI points to 'https://jacksth.ru/wix?keyword=comparing+hinduism+and+buddhism+worksheet', and another critical heuristic highlights a large number of PDF links originating from 'http://feludekinopotas.scienceontheweb.net/'. This suggests the document's purpose is to redirect users to a network of sites, potentially for phishing or malware distribution, aligning with spearphishing attachment tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=comparing+hinduism+and+buddhism+worksheet
    • http://feludekinopotas.scienceontheweb.net/97914528112.pdf
    • http://xufelaketodo.getenjoyment.net/wanifalomazerojovebi.pdf
    • https://cdn.sqhk.co/xurajalijok/8DhgGBq/94441833557.pdf
    • https://cdn.sqhk.co/xolofiwano/hM1gigh/lisigedamezegativenativu.pdf
    • https://cdn.sqhk.co/jinubodilev/gLI03j0/logudemuxejoxofamibexebir.pdf
    • http://sajutasure.22web.org/neposabikibeluzar.pdf
    • https://cdn.sqhk.co/paxepilekot/hUig9ic/mass_from_sharepoint.pdf
    • https://cdn.sqhk.co/tokebamojos/TVKidgr/freeway_closures_5_north.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6d4cd3b7-91e9-43ac-92b9-205473f1e50d.filesusr.com/ugd/28146e_b15d99fc2db2453f95b04efb4168ce81.pdf?index=true
    • https://s3.amazonaws.com/xoguwavosuje/73801101632.pdf
    • https://s3.amazonaws.com/dubiditiginowo/2019_ka_naya_calendar.pdf
    • https://84d5b3ab-51dd-4312-87b7-51df18fb3b26.filesusr.com/ugd/9ea9b6_95a74007b91040d0925a940fda5075c7.pdf?index=true
    • https://5e024257-ca51-40df-b6b5-a3104c7b7124.filesusr.com/ugd/97368a_bb9563ccaf744761bd8c26cfafbcfaaf.pdf?index=true
    • https://d3dd75b0-514a-4dbf-a1f7-973a5b421fb1.filesusr.com/ugd/5b46ec_9061af31f18541e0b4a37c296e90cf68.pdf?index=true
    • https://ac685e6e-6442-44c0-91a1-b3a367e79ef2.filesusr.com/ugd/ce77c6_c056d188ecea40169a7a649461776f3f.pdf?index=true
    • http://xirexadugimog.atwebpages.com/kitchenaid_artisan_175_stand_mixer_ice_blue_5ksm175psbic.pdf
    • http://kofepiropi.onlinewebshop.net/96062181328.pdf
    • http://nadiripu.epizy.com/javuv.pdf
    • https://s3.amazonaws.com/zosevid/blacklist_episode_guide_2019.pdf
    • https://d0bf7e8b-5449-41c0-93e9-161603c0719f.filesusr.com/ugd/197ed4_33550acd733148e38ce15b5759a8d0c2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010364.bin
705377623a4c4344e02470fedf876d1ed6f0c7c0eac322cafb15afc9430d14bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10364 6440 bytes
font_01_sfnt_off00011358.bin
94a27fd490fdd9efd05ed232cb177b58c18b736439ccc8705f44313437604760		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11358 5544 bytes
font_02_sfnt_off00012606.bin
3d05b3fe462d2dfafd6717e66c283c6cdef2aa91a73d3efaa8ae6bb686f02789		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12606 12256 bytes
font_03_sfnt_off00014fdb.bin
d8949076153b506d0263e7f774c3afe225f31c34230a03cbf93bb85259a13da0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14FDB 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.