Malicious PDF — malware analysis report

Static analysis result for SHA-256 87d154de29bd6d51…

MALICIOUS

PDF

82.1 KB Created: 2021-03-23 23:09:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b56063a2c8a2898a712fca9544464f2 SHA-1: eb650a89721cecb22c191713e35bebf24c11df81 SHA-256: 87d154de29bd6d51ecf65dcd28880f36c5172a6a0b47fc87e590a9e2742eb90b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The primary malicious URL identified is https://jumiwimov.ru/123?utm_term=brother+printer+software++australia, which is likely used to redirect users to malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=brother+printer+software++australia
    • https://kekufekogaj.weebly.com/uploads/1/3/4/7/134768560/2787157.pdf
    • https://xidakagufade.weebly.com/uploads/1/3/4/4/134400986/tutoru.pdf
    • http://igbusinessabouthelp.com/3277685922c6y4n.pdf
    • https://kafaxidaduxeb.weebly.com/uploads/1/3/1/4/131438036/350a50827f3.pdf
    • http://reduslim-sito.site/rosine70iys.pdf
    • https://pajodiwid.weebly.com/uploads/1/3/0/9/130968992/6414551.pdf
    • https://jamelowo.weebly.com/uploads/1/3/1/6/131606155/4c7e1fbf4241fb3.pdf
    • https://nenubijul.weebly.com/uploads/1/3/5/3/135393623/9bef55.pdf
    • https://tunibedexorole.weebly.com/uploads/1/3/5/3/135350281/a4d1cc59.pdf
    • https://nonexivibofopuv.weebly.com/uploads/1/3/4/6/134603010/334845.pdf
    • https://neveloso.weebly.com/uploads/1/3/1/4/131408616/woxozamiwe-vifivuki-kejejovenu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e97408dc-4b05-4e3b-9f19-f4127feb49ef.filesusr.com/ugd/a42eed_66656615d55749d38107a080053e878c.pdf?index=true
    • https://s3.amazonaws.com/zerepuzuze/john_deere_d140_issues.pdf
    • https://4461694d-a6f7-4a69-895a-ff5ddeb3c622.filesusr.com/ugd/f504fb_a8a3f565f0cd47f0849041f989bb1fc2.pdf?index=true
    • https://ac402fee-74f4-49a6-b5a4-6a03c6a057de.filesusr.com/ugd/b0cd75_03e80d3884294ae399d7c4febec7a422.pdf?index=true
    • https://uploads.strikinglycdn.com/files/70776e57-92fa-4052-a60b-b5c81c3c46e2/72831321257.pdf
    • https://uploads.strikinglycdn.com/files/9187c5a4-69dd-46f4-b16c-2ea73b3ae974/how_do_i_access_my_verizon_cloud_online.pdf
    • https://uploads.strikinglycdn.com/files/ba0614bb-0daa-4284-b8a7-dc3ee461ae5a/principles_of_microeconomics_book_online.pdf
    • https://s3.amazonaws.com/mukut/nuxed.pdf
    • https://uploads.strikinglycdn.com/files/0353b92f-7421-4257-a51c-12bb8eec3764/john_owen_mortification_of_sin_audio.pdf
    • https://s3.amazonaws.com/jusuberu/unity_download_assistant_error_code_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001051b.bin
80dd391f01d08effbb9b97c1b7a3cb19ff9705d00f6fcba6d6171550dcb02577		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1051B 5132 bytes
font_01_sfnt_off000116a0.bin
76c85a175aeb8b78a786fd700c6f6e5137db41c4988f084dcbf8faf82ca51d19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116A0 10508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.