Malicious PDF — malware analysis report

Static analysis result for SHA-256 9355732aad70ff57…

MALICIOUS

PDF

80.5 KB Created: 2021-04-02 06:55:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c58ad0140adba4b33e1367578c2aef8c SHA-1: 79001d633a107d95ca9b027c66f667e0bec521ea SHA-256: 9355732aad70ff57dafd13b5cbb5c2b8dc9a0b6658e9f6f8cfd430de18241e57
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are dynamically generated, suggesting a link farm or phishing attempt. The primary malicious URL identified is https://seumenha.ru/strik, which is presented in a context related to a 'Subaru ea190v pressure washer' to deceive users. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=subaru+ea190v+pressure+washer
    • https://cdn-cms.f-static.net/uploads/4495531/normal_5fe99f834c0e3.pdf
    • https://cdn-cms.f-static.net/uploads/4426679/normal_604514bb23268.pdf
    • https://cdn-cms.f-static.net/uploads/4496015/normal_6016aa00794ce.pdf
    • http://wajuxerisowo.iblogger.org/zigazuv.pdf
    • https://cdn-cms.f-static.net/uploads/4413978/normal_605449c1a501f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_90ff787e583940bba281ce5777ed7e62.pdf?index=true
    • https://c5c1e25b-3ca9-4f8f-aecb-0ee3b29cb37b.filesusr.com/ugd/f4fe7b_56cccc3064334ef1a292a552c9e74a4e.pdf?index=true
    • https://s3.amazonaws.com/remufuzu/pobenuwo.pdf
    • https://uploads.strikinglycdn.com/files/4ec5714c-1a1f-46c3-befd-df99ce93e999/69910874347.pdf
    • https://uploads.strikinglycdn.com/files/a4636c8f-f6d1-49a0-bfa7-92cd2511ebac/cateye_cycle_computers_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/8fdfc338-0641-4d19-a800-ee211629d2a1/zamosavasetakozufal.pdf
    • https://s3.amazonaws.com/sigobija/california_yellow_immunization_card.pdf
    • https://s3.amazonaws.com/wunojipu/27336721796.pdf
    • http://dobejul.epizy.com/coffee_making_guide.pdf
    • https://uploads.strikinglycdn.com/files/b513cfbc-d9b4-42f8-9d95-9c589b3e6385/how_much_do_maids_get_paid_in_saudi_arabia.pdf
    • http://marivugedada.epizy.com/32108796538.pdf
    • https://uploads.strikinglycdn.com/files/44ca2712-6ddb-4533-be02-32000a25eeb7/47924943913.pdf
    • https://s3.amazonaws.com/lopeteb/bombay_tamil_movie_song_starmusiq.pdf
    • http://fupisetugib.rf.gd/mudoronegudipo.pdf
    • https://5f90d536-2a72-4461-adff-280afd3056cb.filesusr.com/ugd/27c394_c64d363dd07549d084f3ae23ee4786db.pdf?index=true
    • https://uploads.strikinglycdn.com/files/036bf3d1-a9a1-41af-bf97-a679b6fdaf7c/how_much_is_rock_band_4_for_ps4.pdf
    • https://uploads.strikinglycdn.com/files/975f63f7-a066-4254-84b3-34fe0efd41bd/sodonudonojewopozude.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa4e.bin
0c51af886d197668a58ef116b00b60b61f4688cfa5e77f8e221952c4d882eaf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA4E 5620 bytes
font_01_sfnt_off00010d7d.bin
965691b884942e4d6de187cc4644c63593fd5aa19deabad3390b78a0a93df78a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D7D 11444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.