Malicious PDF — malware analysis report

Static analysis result for SHA-256 804b7efeb35f56ad…

MALICIOUS

PDF

86.5 KB Created: 2021-03-27 16:59:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5a04405e561d50d5359c0080483701d SHA-1: 2594892dec1753b49556ec1a69d193b9fe0a3d74 SHA-256: 804b7efeb35f56ad7facbb2b99f64fa93a33c1d75d6e53dffbb30b4b24dbda8b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are structured as a link farm, suggesting a phishing or SEO poisoning attempt. The heuristic PDF_SEO_LINK_FARM indicates a mass of external PDF links, with the primary example being https://pisukobuvasojab.weebly.com/uploads/1/3/4/3/134398412/9730735.pdf. The embedded URL https://druttle.ru/wix?keyword=9+bonding+and+molecular+structure+worksheet+answers+south+pasadena further supports the lure of a search result. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=9+bonding+and+molecular+structure+worksheet+answers+south+pasadena
    • https://pisukobuvasojab.weebly.com/uploads/1/3/4/3/134398412/9730735.pdf
    • https://cdn.sqhk.co/dusaradezat/bOMB5Gl/bikotuborifimusepezarezu.pdf
    • https://cdn.sqhk.co/mofosalamo/hdlstja/black_friday_2020_best_buy_laptops.pdf
    • https://pudexaxetodeli.weebly.com/uploads/1/3/2/6/132683251/fenadovuliwu.pdf
    • https://jixivegeparimes.weebly.com/uploads/1/3/4/7/134749144/lupebaruraf.pdf
    • https://cdn.sqhk.co/pibegufuxova/NPShchc/off_my_bucket_list_meaning.pdf
    • https://cdn.sqhk.co/nivazesoj/ggUaghs/download_super_soccer_champs_2019_mod_apk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1b3fde16-7575-45ba-b40e-8916c64185ca.filesusr.com/ugd/8874e8_d212b780288c4015b828c094387d167e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c9d33b06-9232-4068-877c-2a12aeeba3a4/43748511300.pdf
    • https://uploads.strikinglycdn.com/files/18f68506-17b6-4a84-9905-7069ff04b7a7/20676984071.pdf
    • https://6196a4e6-b3b5-4a85-a139-4ec84e0a53d9.filesusr.com/ugd/d01287_dc8559a6547f43be95f53ffa48215963.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2873b8ea-950e-4a8c-86cc-d88171a609b1/bumigovela.pdf
    • https://d6aab468-caab-4d9e-910f-d3bf64ae4104.filesusr.com/ugd/5438e3_b2af778c76844922abfd2d4dc2bbc1b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8d01a0ad-e9bd-4ad1-91ad-0e1a50b1eb94/parerudenakudemoj.pdf
    • https://s3.amazonaws.com/zonebon/vakudemiguge.pdf
    • https://198ac300-f2de-41a8-aaa9-2df0d2bfefbb.filesusr.com/ugd/232b71_3ba5c5fdcd3c483fad2f0b19e2fd0fd7.pdf?index=true
    • https://s3.amazonaws.com/vinejivunitego/kalamipopukuro.pdf
    • https://s3.amazonaws.com/vebisop/9107081423.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100e4.bin
d21b42a22aa7e698c3a2508c9e8d912b8f38aadcc684015d83407b26e6986445		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100E4 5040 bytes
font_01_sfnt_off00011222.bin
5df284b1f891dfd0c53718f10f07fea71c7961fce040b52624146adc5e7d8938		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11222 5844 bytes
font_02_sfnt_off000125e1.bin
4839e456dea6bb89dedf08153dba68659e77598c6f338e17699b46344a23e39f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125E1 11604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.