Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e2f265a19095187…

MALICIOUS

PDF

85.8 KB Created: 2021-03-17 10:57:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ece16ecea10dd7136b8f280c584f4fe SHA-1: 207745aba7cd598e4ea1ba516e23bcda8840050d SHA-256: 8e2f265a19095187c351c081d1eade6e76bd7618ac70b3a0eac07df9f8bbee01
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document body, though partially corrupted, suggests a lure related to 'Starbucks secret menu hot beverage'. The presence of numerous external links, including a link farm heuristic, points towards an attempt to redirect users to potentially malicious sites for phishing or further payload delivery. The file also contains embedded URLs, further supporting the redirection tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=starbucks+secret+menu+hot+beverage
    • https://cdn.sqhk.co/turovonunido/jikhijh/group_calls_app.pdf
    • https://cdn.sqhk.co/zivalutapa/hfij1y1/online_recharge_vodafone_amazon.pdf
    • https://cdn.sqhk.co/nurijodefa/jchgfhe/tabibolelupaxadupow.pdf
    • https://cdn.sqhk.co/dimowitop/kibAJxY/stick_it_in_your_ear_crossword.pdf
    • https://cdn.sqhk.co/kezomerameki/hggSjah/fifafarobisuxuvasenip.pdf
    • https://gixovazaviv.weebly.com/uploads/1/3/5/9/135982549/3d33d.pdf
    • https://xixilizuxuwogag.weebly.com/uploads/1/3/4/8/134879277/benipamitofujub.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://32b33340-d9da-4ef7-b3bd-a0ac5134eb71.filesusr.com/ugd/adfa6f_5402e44b57474dda8ca982f6ad3b4464.pdf?index=true
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_868ce100810f49ad86e02a63caf22c31.pdf?index=true
    • https://938a05da-450f-421e-a59b-0448473a402a.filesusr.com/ugd/cb5dea_386f41d63adf45f0beb921621eb81e81.pdf?index=true
    • https://uploads.strikinglycdn.com/files/df0e31ef-64df-417b-b54e-e0673b72e3c8/51013119054.pdf
    • https://s3.amazonaws.com/pexodugosa/witunowufuremi.pdf
    • https://uploads.strikinglycdn.com/files/49afc921-482f-412e-a70c-b87114eb4421/pesuripiselatob.pdf
    • https://uploads.strikinglycdn.com/files/253473f4-c301-467c-83d8-0669d8dc56a3/kidde_kn-copp-3_nighthawk_plug-in_carbon_monoxide_alarm.pdf
    • https://60f6da8c-824c-4163-aae9-6195f2ac7ed4.filesusr.com/ugd/7f16bd_733e5684624049a6b1546c67d1b518a4.pdf?index=true
    • https://s3.amazonaws.com/sedimeraxufi/murifaxisogaweb.pdf
    • https://98cdd5c5-c43e-49eb-9373-39517e896cbb.filesusr.com/ugd/90661f_456633e98505440db0a77f16b5490a34.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e416d100-a80a-46d6-9e30-e7a1b52a6e36/jebumup.pdf
    • https://s3.amazonaws.com/tokudapele/52551300677.pdf
    • https://5fdaa9e0-ad6d-443b-8779-beb8e45026dc.filesusr.com/ugd/05301a_9926fcce970641b58679ab7cf434f5ed.pdf?index=true
    • https://s3.amazonaws.com/bulalowisu/american_war_full_movie.pdf
    • https://451b78f8-089e-4d4d-bc4b-60abb621f7e6.filesusr.com/ugd/7ef0dc_ea0a8b683a2d4f76a00a8c665cc2387f.pdf?index=true
    • https://0e9c393c-9feb-4465-ae9d-4486bea7a644.filesusr.com/ugd/4b68be_d834bc0e298340948d77469485ffbc8d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5b9.bin
8b5a9f1d134d7916116f424b12742986ebf11f03ee59e8866995dc9162c4755a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5B9 5548 bytes
font_01_sfnt_off0001086c.bin
3d271d7d5beba2f3e123048aecf3deb3c6116fa8c72afee56d861f2396cc0ead		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1086C 8836 bytes
font_02_sfnt_off000120de.bin
56d74ce4dd1836572fbfc4fdeb767fc34fd798b7c38ef7e0af63c0e24687cb21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120DE 11512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.