Malicious PDF — malware analysis report

Static analysis result for SHA-256 97c92067b8f96d65…

MALICIOUS

PDF

78.0 KB Created: 2021-03-20 02:12:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8c4062752731bd818da850c6e1720ef SHA-1: 2c59cf25e121cc9604a60eac14304eedaf001eaf SHA-256: 97c92067b8f96d655c1f333dc5040e928646206f5b52d95b296326265e93cf63
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains a large number of external links, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, appears to be a lure related to 'what rappers are from new york', directing users to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=what+rappers+are+from+new+york
    • https://static.s123-cdn-static.com/uploads/4447497/normal_5fc84313506c3.pdf
    • http://motorutovibipe.sportsontheweb.net/small_engine_repair_melbourne_florida.pdf
    • https://jodejivosarixu.weebly.com/uploads/1/3/4/3/134314211/510696.pdf
    • https://tinutenuku.weebly.com/uploads/1/3/4/6/134664278/zinisazigeme.pdf
    • https://paxupodef.weebly.com/uploads/1/3/4/7/134763896/sipufesoketexusodew.pdf
    • https://cdn-cms.f-static.net/uploads/4482858/normal_60306c9f4604c.pdf
    • https://kiledakod.weebly.com/uploads/1/3/5/3/135385809/sadozunowototonixe.pdf
    • https://rufekelikofevav.weebly.com/uploads/1/3/1/0/131070689/be3750b19.pdf
    • https://cdn-cms.f-static.net/uploads/4425514/normal_601d4df271afa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://42f4b946-f871-4f2a-a73e-6571c6569919.filesusr.com/ugd/e20521_d7fe45953544476e83e4fe6c1769eb4e.pdf?index=true
    • https://fdb4f28e-c637-431f-967d-457feef73efb.filesusr.com/ugd/cf5aa9_5542f22190474c0b82c0861913a2acc4.pdf?index=true
    • https://0e733887-fd72-4d21-8b10-0a39cafbc931.filesusr.com/ugd/1e4d10_848a837919654fed8841010e788e1506.pdf?index=true
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_6078549ba64b42b4ae5ccaa0d92875e6.pdf?index=true
    • http://zozemuki.rf.gd/lekomofijes.pdf
    • http://fopaguduvogo.rf.gd/rakupawagojo.pdf
    • http://tofalit.myartsonline.com/chicago_blackhawks_2020_schedule.pdf
    • https://db22a0a0-c6c8-4eb9-9878-037c50d93224.filesusr.com/ugd/e2b5b3_9348624922e04a2b94d652af1b1d40bd.pdf?index=true
    • http://lunagibaludoze.epizy.com/autodesk_autocad_plant_3d_2020_tutorial.pdf
    • http://fimejeza.epizy.com/47130132235.pdf
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_5ca73d5b2b9c42daa2aaedcc7ab074e2.pdf?index=true
    • https://5e54824a-8208-41b0-8aeb-7c017e8cfb46.filesusr.com/ugd/f64db8_af74a060fd8041f59240e5f2d1f885f9.pdf?index=true
    • http://gakamaxoluzes.atwebpages.com/bruno_mars_count_on_me_lyrics.pdf
    • https://6184de0c-c318-42a7-882e-c5ddc63b817d.filesusr.com/ugd/1c8c1e_7a6fbad027f84132a9f6cb48283c3641.pdf?index=true
    • https://4dcfe184-cd6c-48f8-9f23-5461c743a1d4.filesusr.com/ugd/cc8533_f5fdb3e8c4f24371af5bf992ff128bf2.pdf?index=true
    • http://kazaxese.epizy.com/sabifalavenola.pdf
    • https://76df98a8-3e94-4eee-a6f5-23e1de06049b.filesusr.com/ugd/54c74c_ac3cf5957f1940c08760bca6db80ec46.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f240.bin
30e2038b900061968534dc9f49ce05c2c5434ac7450681493be5875df1e5dbdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF240 5380 bytes
font_01_sfnt_off00010481.bin
5922d71524305671fd5d5523fba94a76732ebccac24ad7a79f11938ff4238d91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10481 11112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.