Malicious PDF — malware analysis report

Static analysis result for SHA-256 85b575340c5e02fc…

MALICIOUS

PDF

77.2 KB Created: 2021-03-30 05:42:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 438209dbf2eb51cfee4b6f0be7050250 SHA-1: 16f2d47c4b1936145d6af5f893a98d68c4433f7d SHA-256: 85b575340c5e02fc0e1cf9dbe8d23cffb75f86d4e1a8bf2136a9b40c5fb26d69
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign PDFs, but one suspicious URL (https://leonvi.ru/award?keyword=anatomy+and+physiology+of+human+skin+pdf) is present. The heuristic 'PDF_SEO_LINK_FARM' indicates the document is designed to host numerous links, likely for SEO manipulation or to distribute malicious content. ClamAV detection and ML classification strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=anatomy+and+physiology+of+human+skin+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/52d638ff-4d58-411f-8a29-55d2e89797e0/how_to_learn_violin_scales.pdf
    • https://ab0007c4-58ca-4db2-ab23-686bae4d53c1.filesusr.com/ugd/8bf248_c290f5ad5df446c1832a4654b89b1990.pdf?index=true
    • https://uploads.strikinglycdn.com/files/538b541d-87ef-4f3e-9dd8-f8a9916d0f1f/givifubo.pdf
    • https://4d3f6715-1114-433d-a4b7-45a5e22e3858.filesusr.com/ugd/ce86b4_b74a643eee924b92803b16e4e332f435.pdf?index=true
    • https://uploads.strikinglycdn.com/files/da366139-90ca-433f-84ce-30506a53fd87/how_to_change_time_on_casio_illuminator_telememo_30.pdf
    • https://uploads.strikinglycdn.com/files/94ea4fb0-28a7-4d48-accc-9d260bfc99c9/dream_on_me_crib_style_628_instructions.pdf
    • https://21d44941-995c-48b9-956b-8145330e20d5.filesusr.com/ugd/577b75_32a6a8482c904ac8804f5c4218b1ae91.pdf?index=true
    • http://fasosusa.epizy.com/acrylic_painting_for_dummies_free_download.pdf
    • https://uploads.strikinglycdn.com/files/0df465eb-7d9e-4526-b39e-71325e103c34/73106993370.pdf
    • https://510adc33-753b-44c0-977e-8d34da8fcdd4.filesusr.com/ugd/5f4192_9b3fa2fc96a342959bed465b460825bd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e64bdcc2-cf97-421b-8902-c435da4fe26d/ruzajobididojuvuruw.pdf
    • https://uploads.strikinglycdn.com/files/1a136c49-4112-4c60-b080-dee3ba72f4e4/ikea_catalog_2020_request.pdf
    • https://uploads.strikinglycdn.com/files/3e0a7dad-1295-4b8a-9808-f8a57f92ac8c/weber_spirit_e-210_lp_gas_grill.pdf
    • https://uploads.strikinglycdn.com/files/9231330c-f1b5-4199-8a4b-5600bac573cb/68151373078.pdf
    • https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_ddc830a29daa46c09f896241d6850e48.pdf?index=true
    • http://govabipisu.epizy.com/bamotokujoretepaxeziwuv.pdf
    • https://uploads.strikinglycdn.com/files/5410bbcb-3bae-43d1-b933-4f68e9496e78/87480127771.pdf
    • https://uploads.strikinglycdn.com/files/2bf24009-4a34-475f-a1b5-d5387a298154/95317458280.pdf
    • https://uploads.strikinglycdn.com/files/85d7401d-bf46-4040-8623-060630c58e2b/what_causes_sloppy_handwriting.pdf
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_1c24318d806c4e788bec631538153f2b.pdf?index=true
    • https://3176e400-c268-4dc0-8d69-08eae86937f8.filesusr.com/ugd/ea2f88_cf479a5512664ccf95706f3518c35f2d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef46.bin
3656ce562ac4b152dceccf05541c119dd4b8e98a9f8f42013e8fc905ec3907a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF46 5512 bytes
font_01_sfnt_off000101f2.bin
798b9a170dc18fa95e09184fdb447c6ae228d435c732d2ce4f8f98153f87af31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101F2 10968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.