Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d2b778d8e63c374…

MALICIOUS

PDF

105.3 KB Created: 2021-03-20 06:37:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2e2845b2ee8dd99a8ec35549662ddf9 SHA-1: b49d806a4103c0463f92d8737465052ba70edcc5 SHA-256: 8d2b778d8e63c3740c3e02b96655fbed1ec2a8426e5978dae3d16d5251176fad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for Pdf.Phishing.Trojan. The presence of numerous external links, including one to 'seumenha.ru', suggests a link farm or phishing attempt. The ML classifier also strongly indicated maliciousness. While no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=crkveni+kalendar+2019+pravoslavni
    • https://cdn.sqhk.co/buzunonoj/3Eshhgf/nick_carter_news_2020.pdf
    • https://cdn.sqhk.co/rapurakoke/jqpNEhd/steam_gift_card_amazon_uk.pdf
    • https://cdn.sqhk.co/dutimapo/erZzxhi/masitiwaxexisun.pdf
    • https://cdn.sqhk.co/nozujeraguje/hfjfawn/34632807262.pdf
    • https://cdn.sqhk.co/guranotup/Vgfsehc/lilolelorusijuzumubir.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b3869c01-fe75-427a-8426-3770be906f0a/why_is_my_dishwasher_saying_no_water.pdf
    • https://92ddf5cc-4ce7-4caf-b117-8241c553a727.filesusr.com/ugd/42bae0_2937f81fa3a244ecbcaacba2c06338a1.pdf?index=true
    • https://a79fbd7c-12a6-44fe-9d3c-43dc2b0795a8.filesusr.com/ugd/f95141_4219366d2a864d7e8c64e4c304abe6a1.pdf?index=true
    • https://s3.amazonaws.com/bivanud/blank_borehole_log_template.pdf
    • https://uploads.strikinglycdn.com/files/4d23da3a-c669-457f-ac11-827d04f12e6e/english_grammar_basic_notes.pdf
    • https://s3.amazonaws.com/tumasun/48652351065.pdf
    • https://aefbb2f1-1cfc-4a48-aab2-d72547d84173.filesusr.com/ugd/2f3ac6_ae28c2c7c61045e5b8f1e187d5453c93.pdf?index=true
    • https://s3.amazonaws.com/novifamigot/gimorutoluderatowowo.pdf
    • https://uploads.strikinglycdn.com/files/467c3d3b-a89f-428a-82a8-a12965b8f6f3/22285942183.pdf
    • https://uploads.strikinglycdn.com/files/96fc4219-631a-40b6-b597-bf3ee2e537ec/mejores_frases_del_amor_en_los_tiempos_del_colera.pdf
    • https://19527f6f-7821-4b33-8e58-d909ab9a203f.filesusr.com/ugd/b18fc6_bd7da9a255fe47dfa2a80fd90c958dde.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d436d6f-76a7-4ab4-b6a6-f92d3758a9e7/how_do_i_translate_a_file.pdf
    • https://uploads.strikinglycdn.com/files/03af0027-a395-4f39-8786-8c56960c4076/betitavafa.pdf
    • https://uploads.strikinglycdn.com/files/0b3ba19b-8ce7-4ea0-bca7-65c5730f181d/the_crucible_act_1_study_questions_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/d0340e56-d1d2-4c0c-9588-07fcd8a0ec9c/are_baby_goats_called_lambs.pdf
    • https://s3.amazonaws.com/remeranexe/vutilafisefemuvoj.pdf
    • https://uploads.strikinglycdn.com/files/0f393432-db14-4d56-a462-c1deb35cc890/zamiweba.pdf
    • https://14864a69-2465-45da-a912-c6f78a3f99b9.filesusr.com/ugd/409ca8_0f353f6a275144c899ec3bf709fabfcd.pdf?index=true
    • https://s3.amazonaws.com/desekusoxi/nipofekipavi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013a71.bin
5db40b8a8b2cdea7531db24ecc4698bb740d1f4b2be4a43144ec61d9e1b2d9eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A71 5464 bytes
font_01_sfnt_off00014d17.bin
35e34e53f94261249b956d18248ccc53ff66194afb856195dbac1a2ec2814fe4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D17 17508 bytes
font_02_sfnt_off00018034.bin
c4a32a89361e223d363bbbc451e24ad2dfb7288824981cc154c550d0be6e69c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18034 16728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.