Malicious PDF — malware analysis report

Static analysis result for SHA-256 8009c16c06b3959e…

MALICIOUS

PDF

79.7 KB Created: 2021-03-26 09:59:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85f6d1cdbeff75cee44a17c5c5dc6697 SHA-1: 226a9fdf5dda5da2828d619e0b95b2821b272458 SHA-256: 8009c16c06b3959ed84ab736fa46ff480742f1ad0c907a333d2b74b0b503e0cb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a PDF SEO link farm, directing users to various URLs. One prominent URL, 'https://vilenefex.ru/strik?utm_term=what+type+of+oil+does+a+2006+honda+civic+si+take', is flagged as suspicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=what+type+of+oil+does+a+2006+honda+civic+si+take
    • http://fly-drive.online/2457748926286n9z.pdf
    • https://wumibopoz.weebly.com/uploads/1/3/4/5/134511789/9856483.pdf
    • http://workshop-fb.ru/pte_academic_word_listca70l.pdf
    • http://extra-fon.ru/what_are_some_examples_of_similes_and_metaphors0fvry.pdf
    • https://jipunusib.weebly.com/uploads/1/3/0/8/130813609/8ea0f07.pdf
    • https://wopuxikejixup.weebly.com/uploads/1/3/1/8/131856699/gapajo_jozasukuder.pdf
    • https://finazevad.weebly.com/uploads/1/3/0/7/130739247/nepejiloxusavit-jagutupos.pdf
    • https://wixexiwe.weebly.com/uploads/1/3/5/3/135316610/xesekarudisufodowab.pdf
    • https://setibadumizokeg.weebly.com/uploads/1/3/4/8/134880372/bufixegi-xofiwinewoni-jusezakar-sawozodet.pdf
    • https://nedovena.weebly.com/uploads/1/3/4/5/134528917/775378.pdf
    • http://uscreditinquiry.info/charismatische_fhrung_transformationale8odc6.pdf
    • https://mutakisutuw.weebly.com/uploads/1/3/4/7/134768563/pogomuv.pdf
    • https://jazebaza.weebly.com/uploads/1/3/4/6/134662006/kevoso.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/53f8915b-5482-4218-b858-d6d696417b97/the_fuel_and_the_flame_audiobook.pdf
    • https://uploads.strikinglycdn.com/files/3bf521b2-d0d0-41be-918d-2af68f1b6121/64014996922.pdf
    • https://576979ff-f939-4980-8793-4b7993fae0a8.filesusr.com/ugd/14903d_aef80be0a31640ee993ed390136d6174.pdf?index=true
    • https://35e1cc1d-5f6c-4a41-9b1b-b9ae8dddc97a.filesusr.com/ugd/351eee_d5901cbf2b9941c2a0704cbdeb52fdf2.pdf?index=true
    • https://e8ceee85-86bf-4804-80ab-d7a1511cbcf5.filesusr.com/ugd/38650a_d6c322457bfa4d7496d7d38e38b48776.pdf?index=true
    • https://uploads.strikinglycdn.com/files/61e44a40-2dd0-4ded-9444-a97f6a12a83f/37035880754.pdf
    • http://jogakijifif.epizy.com/building_construction_progress_report_sample.pdf
    • http://vetuvawefaxuta.rf.gd/imagemagick_convert_to_tiff_black_and_white.pdf
    • https://4192d618-ecd7-4808-8485-efd4d6773ded.filesusr.com/ugd/17a5db_127419e9f1b243c3bf8ec46579eff6c5.pdf?index=true
    • http://wofogadopa.rf.gd/azur_lane_formidable_build.pdf
    • https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_ca27801bf1d64767ac4fe73784589102.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7de24776-a393-411d-8dda-3448ed6680ee/lust_and_other_stories_susan_minot.pdf
    • https://uploads.strikinglycdn.com/files/4c196a12-e1e8-439f-a233-396ee21c3703/50346315159.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f85c.bin
5d5cedef6553212f18e0eac5cfa725f891a123f90d06ce717aca7066b716c3d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF85C 5816 bytes
font_01_sfnt_off00010c48.bin
225648e6155e75dc2fb810d88f00290cb4573661098900ea17307548eed3d7bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C48 10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.