Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b3750217a23b02f…

MALICIOUS

PDF

108.2 KB Created: 2021-04-12 06:01:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9e1366a5a1cd0a80a60b40c4bed3d61 SHA-1: e1525a414b6e93699b6b7ae99d5c3b3756acdde7 SHA-256: 8b3750217a23b02f12f3c97b800bdbfe29e0af6df37401c645697682d731d0c0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to PDF files hosted on various domains, suggesting a link farm or redirection scheme. The document body, though heavily obfuscated, contains metadata related to its creation by wkhtmltopdf, and the primary heuristic indicates it's designed to drive traffic to external URLs, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+many+a4+pages+in+a+novella
    • https://cdn.sqhk.co/sipebililofo/Uwgfgdb/nokuzu.pdf
    • https://wosaboler.weebly.com/uploads/1/3/4/4/134496590/fufupiso.pdf
    • http://metryck.info/86409958306hbk1z.pdf
    • http://moreprodukti.com/disney_heroes_battle_mode_tier_list_august_2020ex3wa.pdf
    • https://cdn.sqhk.co/sizozizaj/Gn1hjSN/capsaicin_pills_for_pain.pdf
    • https://lepitosamodovax.weebly.com/uploads/1/3/4/3/134335454/wikepatafabegi.pdf
    • https://neletataw.weebly.com/uploads/1/3/1/3/131398134/e15b75dcb2e.pdf
    • https://fuzimisadu.weebly.com/uploads/1/3/5/3/135319831/kuselejifo.pdf
    • https://cdn.sqhk.co/xoxujagemo/aQPjbwT/rifuwatakolokisidibose.pdf
    • https://cdn.sqhk.co/jeporikate/yicSqxU/pidobugedixokumito.pdf
    • http://cabinetshub.xyz/cuales_son_los_libros_apocrifos_y_porque_no_estan_en_la_bibliaw2hmd.pdf
    • http://kungfumalibu.com/fajumuwawasojakunobi2phpu.pdf
    • https://cdn.sqhk.co/xogutozo/hjTR5iJ/76300228049.pdf
    • http://tdsevsvet.ru/what_does_error_code_8015d000_mean_on_xboxfo177.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/bd1750e0-81ae-4e09-9c0d-2a25bac1e8b6/zufagobe.pdf
    • https://uploads.strikinglycdn.com/files/b9801ffa-ed4b-4ddf-95cb-eaffc207b457/24498198543.pdf
    • https://uploads.strikinglycdn.com/files/c1def69e-66e6-4f28-bfb4-b29078af05f1/wijexalevuzapi.pdf
    • https://uploads.strikinglycdn.com/files/df98d126-fce1-459a-997a-9b8ef0b267f0/83385708408.pdf
    • https://uploads.strikinglycdn.com/files/e28f4b7c-1673-4747-824a-17193e76f0fc/bijipoxopevi.pdf
    • https://uploads.strikinglycdn.com/files/731c35c8-4f88-4858-bc8f-fd196ff8b409/fabuxanalozuvipegerujisa.pdf
    • https://uploads.strikinglycdn.com/files/e82b86a7-40fa-48e5-a1e5-949c4a5e816a/3302469306.pdf
    • https://uploads.strikinglycdn.com/files/48240e8d-8247-4f0c-be38-9bfcc34ae00c/xolupesubowowigaroxanisel.pdf
    • https://uploads.strikinglycdn.com/files/c494fb4b-4d06-48ec-83e7-8d8dbe066753/no_yo_te_amo_mas_in_english.pdf
    • https://uploads.strikinglycdn.com/files/802fba38-6015-4777-94e3-0dc426199cdc/69385084251.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015e34.bin
79f3037ae3dbe1c74726cd529ad10d0fd9be30c00e84f0b7cf132712eba3d9a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E34 5052 bytes
font_01_sfnt_off00016f60.bin
086e5fe3d9aef4ec9bc4b939b5c446f5bd9f41b3f4c1a1f543103b6d2f1490fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F60 10284 bytes
font_02_sfnt_off00019283.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19283 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.