Malicious PDF — malware analysis report

Static analysis result for SHA-256 9719f9a2a5e92102…

MALICIOUS

PDF

74.7 KB Created: 2021-04-08 04:21:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: efaa06697f5310d39677611c43cbc105 SHA-1: 4908374cce52ec63b0994dd36960335a34da5cba SHA-256: 9719f9a2a5e92102b291bbb98ddcb4a16320f15b148185938879bfa580b1b624
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are disguised as search results or file downloads. The heuristic PDF_SEO_LINK_FARM indicates a mass link farm, and ClamAV detected it as Pdf.Phishing.Trojan. The ML classifier also flagged it with high confidence. The document body, though heavily obfuscated, suggests a lure related to finding solutions for a PDF document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=fundamentals+of+biostatistics+solutions+pdf
    • https://vorebalulu.weebly.com/uploads/1/3/5/9/135962534/7094665.pdf
    • http://kosiwixiwumizu.iblogger.org/jedure.pdf
    • https://malafusid.weebly.com/uploads/1/3/2/8/132815748/vasivi.pdf
    • https://cdn.sqhk.co/bimazizuxu/ZgYJphj/37411570484.pdf
    • https://gubitujon.weebly.com/uploads/1/3/4/6/134687035/393a808f3.pdf
    • https://rebazizezasij.weebly.com/uploads/1/3/4/5/134586802/3351da283903.pdf
    • https://lorotorerusut.weebly.com/uploads/1/3/1/4/131452969/5570466.pdf
    • https://cdn.sqhk.co/wedowetaso/Ojchhha/90460322094.pdf
    • https://cdn.sqhk.co/pefevepufi/xIiaSfI/breaker_balls_for_paintball_guns.pdf
    • https://vakejijumusefuv.weebly.com/uploads/1/3/5/3/135313512/2581825.pdf
    • https://rekoxexegatetun.weebly.com/uploads/1/3/1/4/131452740/xudibezaxu-vilolu-divesafi.pdf
    • https://cdn.sqhk.co/vuzowadijavu/hergd7I/relogulevejore.pdf
    • https://vawudida.weebly.com/uploads/1/3/4/8/134890241/jarixedudepi_tuniduzuzig_lakidakoxager_wesujiwukapigad.pdf
    • https://cdn.sqhk.co/lerapuraroke/iajfhgL/nes_emu_apk_free_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_aa06b518946a4e6ea2e63b81d9418d56.pdf?index=true
    • https://s3.amazonaws.com/satudifin/good_morning_wishes_hd_photos.pdf
    • https://a519209a-2b0a-481f-9fe9-460c873bdc80.filesusr.com/ugd/270e53_27b0a755cad7490fa26d7d79d511df89.pdf?index=true
    • https://f4b9ed98-44c1-44e6-9966-d9817cd43de7.filesusr.com/ugd/9ced5d_d6725c2d21184d4baec6a9a8b63cff10.pdf?index=true
    • http://likitaponuviv.rf.gd/allopathic_medicine_book.pdf
    • https://s3.amazonaws.com/tidigudetefumof/refujuwujerulonasuzu.pdf
    • https://s3.amazonaws.com/gosete/polaroid_pic_300_vs_fujifilm_instax_mini_9.pdf
    • https://s3.amazonaws.com/loneminovu/pefesiwiludigepepesubake.pdf
    • https://s3.amazonaws.com/rekorewexidiwo/dawumezikovadanomelekukog.pdf
    • http://xorirefojexo.rf.gd/11483786906.pdf
    • http://rigirulame.epizy.com/catalogue_design_ideas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e98f.bin
133a86229a751b7e2d9d0554ec6bc8c30c7a9503c52a12b3e98485d0abb05811		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE98F 5300 bytes
font_01_sfnt_off0000fb85.bin
b2bf8cb0dc555a54e39f1496f5730685db8d5b376b9d8b7d255c3e54b28cf6d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB85 9844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.