Malicious PDF — malware analysis report

Static analysis result for SHA-256 967ce1ccc2ff48ea…

MALICIOUS

PDF

76.7 KB Created: 2021-04-26 19:10:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d34fe63720d7a13a1220c1fadb207567 SHA-1: 2e99349f113c6f038d5e334175537c5c81d05972 SHA-256: 967ce1ccc2ff48ea36da6f2f09a024b7ad8fe72ce4e89cf6144e338efb95b23d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a significant number pointing to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' and 'PDF_URI' heuristics. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware delivery. Although no scripts were explicitly extracted, the structure and heuristics point towards a malicious document designed to redirect users to attacker-controlled sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=active+and+passive+voice+notes+pdf
    • http://fevinoreniwelik.sportsontheweb.net/towopexowutenukegopikije.pdf
    • http://rulavilev.iblogger.org/borrower_s_certification_and_authorization.pdf
    • http://senaxemuj.iblogger.org/295575580.pdf
    • http://dazolovegom.mygamesonline.org/41994222474.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tokatefozude/rel_stylesheet_in_css.pdf
    • https://s3.amazonaws.com/titugome/bose_quietcomfort_15_price_philippines.pdf
    • https://s3.amazonaws.com/sosupejuxofedo/can_pro_tools_open_garageband_files.pdf
    • https://s3.amazonaws.com/wixatax/western_downland_school_ofsted_report.pdf
    • https://245df057-3761-468b-8bc4-2c9c6734f7c7.filesusr.com/ugd/06c8e1_137672b4bd3e4144981e43b3f241b171.pdf?index=true
    • https://26bfc7ce-baa4-43a1-9280-72312523cbd3.filesusr.com/ugd/5af86b_6665eb6cab404fcea6cdb9dcd0d3572a.pdf?index=true
    • http://redepulevinevux.epizy.com/gugexus.pdf
    • https://s3.amazonaws.com/jevedijadiki/36259225797.pdf
    • https://uploads.strikinglycdn.com/files/467e5696-af20-41eb-af0a-4191e008aea0/85623618533.pdf
    • https://8b1d1a20-f0f3-43d5-aeb5-704ac988d6c7.filesusr.com/ugd/9dbc1d_563787034a154af9af2f411fdc6c100b.pdf?index=true
    • http://bokepomi.onlinewebshop.net/gimikadeserixudatil.pdf
    • https://uploads.strikinglycdn.com/files/ce5a0646-5bdf-41d4-a4c8-81bf8e1bdea1/84751503363.pdf
    • https://s3.amazonaws.com/sedowedi/57749332034.pdf
    • https://0b21792c-a699-4cf4-8833-5910c6ad58af.filesusr.com/ugd/b0b521_66558077d0714ecfa2c9f9fb14a58b96.pdf?index=true
    • https://s3.amazonaws.com/bubeto/riwofafox.pdf
    • http://nivuzujanux.myartsonline.com/ubqari_magazine_february_2020_download.pdf
    • https://5efcf519-4c71-4be9-a00f-e1d47ba804c5.filesusr.com/ugd/ebcc4b_41bbf14c8bbd47708e92e84d06f7144f.pdf?index=true
    • https://s3.amazonaws.com/pusixa/84685727321.pdf
    • https://uploads.strikinglycdn.com/files/880a6e74-1f64-4d0b-a30d-a3cd748ca12e/65589143372.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed6b.bin
44b98d67b1ce2dbecffb22941410ae068f186adf18f613ed85955496fb12704b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED6B 5068 bytes
font_01_sfnt_off0000fecf.bin
039c44d0f074e7b72d4153950a770d2117003916c75413771a2d674314eabc56		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFECF 11392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.