Malicious PDF — malware analysis report

Static analysis result for SHA-256 95366788433c331e…

MALICIOUS

PDF

91.2 KB Created: 2021-03-29 02:21:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41ead76e9ed48e0b8cd220873752422b SHA-1: 11c7ba2742f41b823829b957d6026b87f158282b SHA-256: 95366788433c331e5d9e1953c172f4cfde97ab1fa2ab65865a68dce16294755e
316 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1105 Ingress Tool Transfer

This PDF file contains an embedded JavaScript payload that attempts to redirect users to various external URLs, many of which are part of a link farm. The heuristic firings indicate the presence of a malicious script and a link farm, suggesting the document is designed to distribute further malicious content or phish for information. The ClamAV detection further confirms its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 9

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=software+testing+training+institute+in+chennai
    • https://cdn.sqhk.co/jigekuragige/jgKjeSf/android_software_for_pc_windows_10.pdf
    • https://cdn.sqhk.co/pobijejok/7icbjdN/melvor_idle_best_weapons.pdf
    • https://pewukuma.weebly.com/uploads/1/3/4/7/134762228/9117637.pdf
    • http://trickyturkey.com/good_android_phones_under_100000080m.pdf
    • https://cdn.sqhk.co/sowotewope/c0M6jiL/refusekamezolepunakalov.pdf
    • https://cdn.sqhk.co/gizivapejoko/ijyeoDW/xivimulewomewu.pdf
    • http://mitisobixarof.iblogger.org/gotukulined.pdf
    • http://potenciy.xyz/166097147936d58d.pdf
    • https://maxegexetafes.weebly.com/uploads/1/3/1/3/131379525/8635434.pdf
    • https://bokesaxigalul.weebly.com/uploads/1/3/0/7/130776824/2bf9b6be01699.pdf
    • https://mogobuzuxoxede.weebly.com/uploads/1/3/0/7/130740257/7e6b064.pdf
    • https://cdn.sqhk.co/nivipanevi/6rR2Wjh/accountant_experience_certificate_format_letter.pdf
    • https://cdn.sqhk.co/nevawanipo/UPeggf9/zombie_smasher_mod_apk_home.pdf
    • http://xudogiborijum.66ghz.com/41438051842.pdf
    • http://raisinshub.club/8232279212q7kq7.pdf
    • https://cdn.sqhk.co/nivipanevi/6rR2Wjh/accoun
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://xuzagavolikop.epizy.com/77743107843.pdf
    • https://ede8a7a3-2377-4e09-926a-401222b31c25.filesusr.com/ugd/81c89d_c753eb3c036541f0aa37e000cc856043.pdf?index=true
    • https://00eaa6b3-f026-4720-b00f-fafb40066352.filesusr.com/ugd/d498be_f455ea7828f84090907d060c9bc32a02.pdf?index=true
    • https://f4b9ed98-44c1-44e6-9966-d9817cd43de7.filesusr.com/ugd/9ced5d_c4f4e66eaf5c4282b2e26ed8a61718fc.pdf?index=true
    • https://276658a2-c6b1-4a23-bc3b-56c82bce4278.filesusr.com/ugd/f9448a_9def11b2b55d49b98b88d36a865a049f.pdf?index=true
    • http://bividit.rf.gd/create_list_from_template_sharepoint_2013_powershell.pdf
    • https://8b83d164-5e56-46cc-b941-48f48810ddf3.filesusr.com/ugd/76ce43_2070858e3ed346d7be19151b3da3a2e3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000134c2.bin
d1e62130cfae7ab6ce2c40768db6e624b302aca5007a30c851a09de2acb74652		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x134C2 18344 bytes
embedded_pdf_script_00009c8d.bin
68ce317cc60742d1e545872b7990d07a2873e077e09675f38b0cdadd36e7e45c		 pdf-embedded-script PDF decompressed stream script payload at offset 0x9C8D 93415 bytes
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
font_00_sfnt_off0000fc68.bin
5208c24e48d7d94f42d58fb002a102ad4e12e91d4be3dc7f168bb288d01cdedb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC68 5188 bytes
font_01_sfnt_off00010e13.bin
541f56ba28a68cb5cbc4e2595e774904ab28e10303a42fa5266ee7d3bbbc257b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E13 11328 bytes
font_03_sfnt_off000150cf.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150CF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.