Malicious PDF — malware analysis report

Static analysis result for SHA-256 94363166315a3ae7…

MALICIOUS

PDF

77.4 KB Created: 2021-03-16 19:21:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c9e3baa8982bba4ec775f130c27a870 SHA-1: e93d6a85ab04c5ed5a128843c19fe060eb45ca5d SHA-256: 94363166315a3ae78761c8ebec718f4e18381320ad8517e6c855b5e82d164975
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings suggest it functions as a link farm, embedding numerous external URLs, with one prominent URL being `https://leonvi.ru/wix?keyword=so+you+want+extra+credit+meme`. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or SEO spam campaign, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=so+you+want+extra+credit+meme
    • https://cdn-cms.f-static.net/uploads/4503584/normal_60489042d7dfe.pdf
    • https://static.s123-cdn-static.com/uploads/4370744/normal_5feb10c168e9e.pdf
    • https://static.s123-cdn-static.com/uploads/4374189/normal_6003fa6534809.pdf
    • https://cdn-cms.f-static.net/uploads/4478398/normal_6036362d14694.pdf
    • http://pugalibapuf.iblogger.org/cuento_de_caperucita_roja_de_los_hermanos_grimm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://33fe1336-4051-433c-b691-b763732126dd.filesusr.com/ugd/6c8f37_a1807482c83b4fcba424f5a2adf71315.pdf?index=true
    • https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_7f4fa4e7e57f473781446f53646a7542.pdf?index=true
    • https://c0b8f06b-4e98-4d3d-89ef-2f08caba629a.filesusr.com/ugd/0c8cc8_85b461fb49c64100872a016dd3f682bc.pdf?index=true
    • http://tomoxag.rf.gd/82656804729.pdf
    • https://1423d76f-a56f-4481-bf87-726e17039346.filesusr.com/ugd/14aee2_3664495c5eb34ec0b1e9e8e9ad02ab46.pdf?index=true
    • https://1d20f49f-ccd6-4d05-b9af-9ecc574be1a3.filesusr.com/ugd/7b50d7_f58fa96491c14487bf16b9d4fcf6a3fe.pdf?index=true
    • https://69c5641f-197a-42c1-bef1-daa502c1f1d7.filesusr.com/ugd/948cea_d170b257320f41bf9b4ab3d941acbc09.pdf?index=true
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_f5ff4c048b434789891bf9cc00be48f3.pdf?index=true
    • https://ad9f1622-e3b7-49db-bfef-326c48fb2104.filesusr.com/ugd/a467d2_8dc6da8b2c024abe9484c2d1f569b5c3.pdf?index=true
    • http://bosefijov.epizy.com/psychology_statistics_for_beginners.pdf
    • https://f74ea38a-ab8d-49a0-8d31-9a1d7ce64423.filesusr.com/ugd/5ceade_0e5b4407d4cd4350b8b354474d6f5fad.pdf?index=true
    • https://a121017b-3fb3-450c-9156-48dd71a9bf80.filesusr.com/ugd/07625c_3926b092bf56468f94e77a837356e9a0.pdf?index=true
    • http://lopoxupalajimuv.rf.gd/touch_of_class_car_wash_coupons_poway.pdf
    • http://mudotepejix.epizy.com/jquery_form_submit_ajax_json_example.pdf
    • http://kepipejesa.epizy.com/94325880905.pdf
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_613e36dc896247879d4f6e855e20a862.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2d6.bin
ee0af7eacf42c7513c2fd1bfd4873ab979c23a2609f5c48b3689cb1ef7e0991a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2D6 5240 bytes
font_01_sfnt_off000104b1.bin
b24d63846dcfffbfaae88c8956feac36d33ede5e82ed98bc2c099858eaa5d84a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104B1 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.