Malicious PDF — malware analysis report

Static analysis result for SHA-256 82c5c1dd57cdc3e5…

MALICIOUS

PDF

90.2 KB Created: 2021-04-07 22:23:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1ce3649fbeec94be13aa3e122b5d2be SHA-1: 74d0e4229af2e48076c68b4c1acff025a01e1a25 SHA-256: 82c5c1dd57cdc3e5c32240ac9bfdd8bf8c0fea89e4b1b367dd136d4cb43d33bc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are SEO-optimized, suggesting a link farm or phishing attempt. The embedded URL `https://maypoin.ru/strik?utm_term=whirlpool+duet+washer+won%2527t+start+just+clicks` is particularly suspicious and likely leads to a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=whirlpool+duet+washer+won%2527t+start+just+clicks
    • https://cdn-cms.f-static.net/uploads/4446790/normal_6057af192f081.pdf
    • https://xokijawajix.weebly.com/uploads/1/3/4/7/134726357/f4dc6d98.pdf
    • https://cdn-cms.f-static.net/uploads/4378605/normal_600fa6f574901.pdf
    • https://wonikisemuk.weebly.com/uploads/1/3/4/9/134902350/6795806.pdf
    • https://kusebavizekofuk.weebly.com/uploads/1/3/4/0/134098677/pubejipizofe_xuvedoriguzi_liwinavofiteme_lebukilokuw.pdf
    • https://static.s123-cdn-static.com/uploads/4391915/normal_5fe251d4d2143.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/fewifuwu/oracle_workflow_administrator_s_guide.pdf
    • https://uploads.strikinglycdn.com/files/49225f01-d01a-44e6-a1a8-53c2cf7a980c/41706400215.pdf
    • https://uploads.strikinglycdn.com/files/612aa9be-2d11-4911-8a99-b3d22e518237/13180679441.pdf
    • https://uploads.strikinglycdn.com/files/37818b76-51b0-4fe9-9c40-dda68542945c/revet.pdf
    • https://s3.amazonaws.com/rewepalazamiso/duxexafazebew.pdf
    • https://uploads.strikinglycdn.com/files/1d9c8fc5-803a-4c5d-ba4a-f58777483dd8/ziwejukokowikazupumi.pdf
    • https://uploads.strikinglycdn.com/files/3b586b6d-7c03-44c9-8513-25af10e1cd95/campark_t75_trail_camera_manual.pdf
    • https://uploads.strikinglycdn.com/files/7a634afa-76a9-4cbd-b70c-b9ff843afc85/what_year_was_the_winchester_model_94_30-30_made.pdf
    • https://s3.amazonaws.com/jezekemunidup/21948508582.pdf
    • https://uploads.strikinglycdn.com/files/ab1e0f0d-96dd-405a-898d-4d3be0f2f8d5/robotovefamedopogukolaniv.pdf
    • https://uploads.strikinglycdn.com/files/2e7ee117-29e4-4a06-8b53-51395476372c/are_beats_solo_wireless_3_noise_cancelling.pdf
    • https://uploads.strikinglycdn.com/files/4fda37e3-c499-49b1-a1b3-1455abb9fe81/fogejamatozuwobej.pdf
    • https://uploads.strikinglycdn.com/files/4b07bee5-6a04-4f8f-8640-a697f292d1e9/puwirorikanusuponuli.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000114db.bin
fb6ea949080429f946144ffc767ef1282ee90461a6519e1cf3a58be9b5be1c80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114DB 5320 bytes
font_01_sfnt_off00012708.bin
aa3f11334c2020213762c60716ca753abef730b3233580306055986f15d5437a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12708 11232 bytes
font_02_sfnt_off00014d86.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D86 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.