Malicious PDF — malware analysis report

Static analysis result for SHA-256 95c52c91587c24dc…

MALICIOUS

PDF

80.2 KB Created: 2021-05-09 08:13:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c093cfc7d394342969edbc1116e99ed SHA-1: c909ef286f953684811e6200799f4415bf1d0942 SHA-256: 95c52c91587c24dc4ca18aeba5f5c76d5e7097885f5f335ecada3c3b61d1aa6f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm designed to deceive users. The primary malicious URL identified is https://seumenha.ru/strik?utm_term=adobe+premiere+pro+download+for+pc, which is likely used to distribute further malware or phishing content. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=adobe+premiere+pro+download+for+pc
    • https://vetitigozep.weebly.com/uploads/1/3/1/4/131437709/76010.pdf
    • http://vipadobotisituz.mygamesonline.org/enneagram_personality_test.pdf
    • http://paruxezogu.mygamesonline.org/quickbooks_credit_card_authorization_form.pdf
    • https://vamarimorojikav.weebly.com/uploads/1/3/4/6/134640123/givasebakaro-fatiwivaboxubop.pdf
    • https://kaxapanokatonab.weebly.com/uploads/1/3/1/0/131070327/9831622.pdf
    • http://sifisomatexow.sportsontheweb.net/classification_of_antiviral_drugs_according_to_mechanism_of_action.pdf
    • https://mibofadap.weebly.com/uploads/1/3/1/6/131637701/7e527.pdf
    • http://welitizenowem.mywebcommunity.org/85656272141.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dudigonifu/teks_sholawat_burdah.pdf
    • https://s3.amazonaws.com/resabomibogodaw/what_are_the_different_methods_of_teaching.pdf
    • https://uploads.strikinglycdn.com/files/d783bb7f-58c5-45ed-9cd4-f1652fe57ce0/pezapimavakegikexom.pdf
    • https://s3.amazonaws.com/fajetufekejo/62585835494.pdf
    • https://276658a2-c6b1-4a23-bc3b-56c82bce4278.filesusr.com/ugd/f9448a_99fe311ab35c43299a9a3654cb0b8b02.pdf?index=true
    • https://76b44699-1094-4fd8-8d4a-70b7be8159c3.filesusr.com/ugd/c450b2_e50b1bee93b14d54bc510b56a06dda20.pdf?index=true
    • https://7c5e2310-e79b-429e-9f4a-70471a43dcce.filesusr.com/ugd/8ec1ef_d2261e6d2d6f4e3a9657d334c6300e98.pdf?index=true
    • https://s3.amazonaws.com/rodakarugupoko/illinois_dmv_written_test_study_guide.pdf
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_1517c3a4df7340339b07fa8cda16c2f4.pdf?index=true
    • https://a581e706-3bf6-41fb-8978-ad4d4077590d.filesusr.com/ugd/afbe6b_afa50008f6c44177832eec77938ef8d9.pdf?index=true
    • https://s3.amazonaws.com/vixuwogetiv/60100551655.pdf
    • https://6f465708-eb37-4ee2-8658-ebeec6cd93ea.filesusr.com/ugd/4bb103_85e505f2897044b989e061268de245aa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/55a05c69-8740-458c-91f2-6c6b88a0eb98/xosewibono.pdf
    • https://uploads.strikinglycdn.com/files/30493341-5ad3-42ab-89ca-592cc6ca1d37/belkin_n450_db_wireless_n_router.pdf
    • https://uploads.strikinglycdn.com/files/94faebe2-6b27-4cc9-93a6-3387584542e2/imagen_iso_de_windows_7_32_bits_descargar_gratis.pdf
    • https://746420f6-3007-491b-ba72-fd43be5094e5.filesusr.com/ugd/277b62_1476c37727f04eb09fcccfbcc1a0ba1c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1dd768a6-dad0-4946-b8b0-232c1d905375/xogazoladugudoxopifo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa6f.bin
07f12081d6c9dea60e681cab44247ad32c63021829db0328ca5d031a5409d169		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA6F 5344 bytes
font_01_sfnt_off00010c96.bin
f6847473b5f7b6b6ab6b2dd0af664be0f3c4dda81008aee67c4902625a4c3280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C96 11848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.