Malicious PDF — malware analysis report

Static analysis result for SHA-256 87e25add50052598…

MALICIOUS

PDF

88.8 KB Created: 2021-03-29 18:02:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61e5bc2ab838ab8339648c57dbb01d33 SHA-1: 24c7af33b79c6c84de2ea3445f66c31ca5c9bc2a SHA-256: 87e25add500525985f70c9373fa694025685aee3cee977b5b07496fedc993bdb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, a common tactic for phishing or distributing malware. The primary URL, 'https://jumiwimov.ru/wix?keyword=apk+for+showbox+pc', suggests a lure related to software downloads. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=apk+for+showbox+pc
    • https://fexaxotira.weebly.com/uploads/1/3/5/4/135401388/8b0dd4f.pdf
    • https://kufavugozit.weebly.com/uploads/1/3/5/3/135309998/1782045.pdf
    • https://kenumobubedu.weebly.com/uploads/1/3/4/3/134370592/248078ab66f87.pdf
    • http://50offstore.info/bushcraft_richard_graves8e13h.pdf
    • http://timogefubor.22web.org/talejatibovizokon.pdf
    • https://xadigepuve.weebly.com/uploads/1/3/1/4/131454317/77c6671f.pdf
    • https://zevofukuje.weebly.com/uploads/1/3/4/5/134585027/91619ef8.pdf
    • http://hotita.space/99801405076iw7io.pdf
    • https://gererojakomez.weebly.com/uploads/1/3/1/1/131163960/4475824.pdf
    • http://smirno.life/kenwood_ddx470_bluetooth_pairingb6pd1.pdf
    • http://ourfanz.com/dejidokolodixoys0i.pdf
    • https://zanasebumafuwaj.weebly.com/uploads/1/3/4/8/134899829/jotetefipebunewapesa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6448a590-b571-4b71-a9e4-820b8531b153.filesusr.com/ugd/782be2_b206a9929d99495683a3d7fe8c4a95cc.pdf?index=true
    • https://88966db1-4a83-4446-b941-f65022a6235f.filesusr.com/ugd/928e0f_467f3d35816c4d1fb0b4eff3d19370ba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b25e168e-2c46-46a8-828f-f2902f8086b0/rebecca_by_daphne_du_maurier_online_book.pdf
    • https://71b4061d-0fbe-47a8-a671-08758978b022.filesusr.com/ugd/0216f2_bc06963b44fa4f358d95939619c96095.pdf?index=true
    • http://gubazit.epizy.com/lucky_movie_chori_chori_song.pdf
    • http://demevobofimozu.epizy.com/date_sheet_ba_2019_ajk_university.pdf
    • https://uploads.strikinglycdn.com/files/f4f7b860-216a-4325-9ac6-790a6b4180e3/juvijixukaviwuwome.pdf
    • https://uploads.strikinglycdn.com/files/4678cfe2-2d1f-4731-82a4-f11bd20d03f2/97491701935.pdf
    • https://uploads.strikinglycdn.com/files/3e70236d-1a69-4cba-a347-84812d694834/gofuj.pdf
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_1a84d71beb37401ead6dd015702c7a7b.pdf?index=true
    • https://6f4861c6-cdf0-4a5f-ba2d-f9c5e5bfbee6.filesusr.com/ugd/77941b_8f82f96d0eb54bac93308eea2832a739.pdf?index=true
    • https://uploads.strikinglycdn.com/files/37c62310-fae0-4976-b809-bef37f7882ad/76882609066.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd36.bin
8574919c7c8a9f024103958ce015253c5a24b8e646cdb5f787658918713f2b2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD36 3080 bytes
font_01_sfnt_off0001083e.bin
9480753f2b58d234cf036001352b6bfb4551d674c71412c4a4787b074c1c6db4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1083E 5216 bytes
font_02_sfnt_off00011a12.bin
83a0be677547812fa834c0ea4d6dee5e041a264a4ac696ef35b54486fe3d1005		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A12 11084 bytes
font_03_sfnt_off00013fe1.bin
7e0863d6dcdfe3ce59f67395a06e5e8634226e44f713773c85e494ff6d119ee1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FE1 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.