Malicious PDF — malware analysis report

Static analysis result for SHA-256 89c5dff0d7229d5f…

MALICIOUS

PDF

76.1 KB Created: 2021-06-07 11:41:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8349bc2eb6288512c05b7b91f54dfddf SHA-1: 692a91a1c7399e24a32bf198e6ef2885e0b2df3f SHA-256: 89c5dff0d7229d5f993b2a40e7346bc9de47e27b0e3573a50bee076d2f092e16
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. One prominent URL, 'https://synerhu.ru/pbw?utm_term=how+do+you+wash+a+large+stuffed+animal', is embedded within the document, suggesting a lure to a potentially malicious website. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=how+do+you+wash+a+large+stuffed+animal
    • https://cdn-cms.f-static.net/uploads/4467586/normal_5fe9f75502d97.pdf
    • https://static.s123-cdn-static.com/uploads/4368982/normal_5feb6dbe676f7.pdf
    • https://riwaduzubef.weebly.com/uploads/1/3/4/3/134319835/355022.pdf
    • https://cdn-cms.f-static.net/uploads/4426090/normal_60362e937a9ba.pdf
    • https://nifanepuram.weebly.com/uploads/1/3/4/7/134700908/finixez-gipurawufelude-mamigomotejuma-tisuvaviko.pdf
    • https://palajuwasodix.weebly.com/uploads/1/3/2/8/132815908/51da1157e563.pdf
    • https://kilekefaze.weebly.com/uploads/1/3/4/6/134631798/gekasexim_mutewesawebe_zubewududugubo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/208cfa86-d9b7-4a4a-bafc-2f6a77d8c4fa/95248499211.pdf
    • https://uploads.strikinglycdn.com/files/13fba85d-d0f6-4204-843a-e70395261da4/25895665113.pdf
    • https://uploads.strikinglycdn.com/files/ecb78e70-fefa-44d6-b117-7c110bba6539/why_isnt_my_fios_remote_working.pdf
    • https://uploads.strikinglycdn.com/files/8824f12e-25d4-4a93-bbc8-6146730d789e/mechanics_of_materials_10th_edition_solutions.pdf
    • https://uploads.strikinglycdn.com/files/52b6c152-aaf0-40d6-95bd-f910b04b71d4/porter_cable_pancake_compressor_relief_valve.pdf
    • http://dipoziw.pbworks.com/f/how_to_crack_steam_api.pdf
    • https://uploads.strikinglycdn.com/files/03f304a5-6938-43f4-baa1-e51d91c4fefa/mini_vci_j2534_driver_windows_10_download.pdf
    • https://uploads.strikinglycdn.com/files/7c1ab38b-01b6-40bf-bf33-46d938a44c85/wildgame_innovations_insite_air_trail_camera_reviews.pdf
    • https://uploads.strikinglycdn.com/files/f29b15d2-a753-47d5-84fa-494fc3ef6234/baofeng_uv-5r_plus_manuale_italiano.pdf
    • https://uploads.strikinglycdn.com/files/d46a253b-ddfe-46d0-b81d-0bc9aea573df/69869272880.pdf
    • https://uploads.strikinglycdn.com/files/c9663fc4-682d-424e-9200-6306ee6bdd58/how_to_clean_home_dehumidifier_filter.pdf
    • http://nolumemonip.pbworks.com/f/saregama_carvaan_tamil_songs_list.pdf
    • http://vejivab.pbworks.com/w/file/fetch/144559023/how_to_reset_iphone_6_plus_with_passcode.pdf
    • https://uploads.strikinglycdn.com/files/2ec55c37-1483-49ea-a74f-9fd771821990/depimovonesurejetalaj.pdf
    • http://sovafiben.pbworks.com/w/file/fetch/144777648/mecanica_vectorial_para_ingenieros_estatica_10_edicion_descargar.pdf
    • http://xalanupuzewo.pbworks.com/f/dental_assisting_training_books.pdf
    • https://uploads.strikinglycdn.com/files/c8725930-05c4-4834-a586-5582442e4340/535003549.pdf
    • https://uploads.strikinglycdn.com/files/ccf6ddef-a61e-4471-a4f1-9746b0ad243c/beats_solo_3_wireless_rose_gold_instructions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb4d.bin
30e820960f6a5d94db1742db13fe6da94cfe4b5172a22b71a3450719b4668c50		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4D 5476 bytes
font_01_sfnt_off0000fddb.bin
019b4709aa17e40119e09040feab1eea74609425af3230f00a01a16533858728		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDDB 10748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.