Malicious PDF — malware analysis report

Static analysis result for SHA-256 a065bc1f88a8fb7c…

MALICIOUS

PDF

93.1 KB Created: 2021-06-09 09:49:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fd76a6b735877ef46c0905227431aaf SHA-1: 52a71f1c85674a619c80e3b0ee06c94aed52353a SHA-256: a065bc1f88a8fb7c7bcc5b747d44fb77cde31d7316605a8d4480043f74ae0b2d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a "PDF link farm", with one prominent URL leading to a "rooter app hack mod apk" lure. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded URLs and the nature of the links suggest an attempt to redirect users to malicious websites for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=rooter+app+hack+mod+apk
    • https://cdn-cms.f-static.net/uploads/4372354/normal_602df276b75b9.pdf
    • https://cdn-cms.f-static.net/uploads/4471253/normal_60bb1a72d82c7.pdf
    • https://gorixiboxizamo.weebly.com/uploads/1/3/4/5/134589430/a83222ba1.pdf
    • https://cdn-cms.f-static.net/uploads/4417129/normal_604661c2219b3.pdf
    • https://supimoxu.weebly.com/uploads/1/3/5/3/135319300/teronajudedutekaxum.pdf
    • https://cdn-cms.f-static.net/uploads/4464542/normal_606ea59ada5f8.pdf
    • https://gazetitorujij.weebly.com/uploads/1/3/4/5/134599815/1d5c6b980a0d378.pdf
    • https://marelepo.weebly.com/uploads/1/3/0/7/130738501/kepekebejerago-xiporoxisibafi.pdf
    • https://boxomuti.weebly.com/uploads/1/3/4/0/134016719/9234381.pdf
    • https://vebupixe.weebly.com/uploads/1/3/4/8/134854050/4058774.pdf
    • https://cdn-cms.f-static.net/uploads/4417205/normal_600d1d199eda3.pdf
    • https://wimofitadaxota.weebly.com/uploads/1/3/4/3/134362004/0af18854486faa.pdf
    • https://piramejujidizek.weebly.com/uploads/1/3/4/6/134694247/minowepafajo.pdf
    • https://rinefoza.weebly.com/uploads/1/3/4/8/134883618/829764.pdf
    • https://bamususifilozok.weebly.com/uploads/1/3/1/3/131383301/diforiliwaf.pdf
    • https://wivapitawipalex.weebly.com/uploads/1/3/2/6/132682528/nepisuwuge-fonowipapefefem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c5d78a70-d748-4b8d-9b32-3b109458fa8b/ejercicios_resueltos_de_poisson_y_binomial.pdf
    • https://uploads.strikinglycdn.com/files/17965543-c552-4de8-a9c3-445252ed2d70/how_to_reset_yamaha_rx-v477.pdf
    • https://uploads.strikinglycdn.com/files/7b4a618d-39a4-4f6a-b090-9c4eca0e7aa0/mixededopozo.pdf
    • https://uploads.strikinglycdn.com/files/9d7e7283-f8f0-4788-9011-bab82a8c3573/stihl_fs_56_rc_attachments_edger.pdf
    • https://uploads.strikinglycdn.com/files/806c2efa-7b9e-4072-bdb6-7bc5c6419792/wadamukotiwifuvow.pdf
    • https://uploads.strikinglycdn.com/files/42d29a50-b755-4323-b654-2f8cbb0de3f3/symbol_scanner_ls2208_programming_enter_after_scan.pdf
    • https://uploads.strikinglycdn.com/files/b511a5c3-0431-4753-b916-d1498db3e28e/rumexuguruvebuwebanopufo.pdf
    • https://uploads.strikinglycdn.com/files/134a8598-3aaf-4d42-a16b-25077953833d/ritisekuz.pdf
    • https://uploads.strikinglycdn.com/files/c593dcae-e430-4f9e-885c-cbc436d882b7/area_of_triangle_worksheet_6th_grade.pdf
    • https://uploads.strikinglycdn.com/files/294f67ed-c672-4332-9a04-9efd6d45ac4e/como_hacer_cajas_de_carton_tipo_libro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffdd.bin
e6340dcd62b8cca3b08210c0a8854badc3dbb8c4f4067f14ccf943b3e04bd544		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFDD 5176 bytes
font_01_sfnt_off00011149.bin
fe6eae276544ca03ccf00bbd1f2d0ee74e50b07128617f23597fbc78f388accb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11149 7740 bytes
font_02_sfnt_off00012afc.bin
84d5a398885548fbffc0a0c55828ccc46deb8c8104cd58da7d87b45e2a2e5334		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AFC 10300 bytes
font_03_sfnt_off00014e8e.bin
0e6963023581e6756050d2c3a96c671744c955f365c98f10e5029e885163e4e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E8E 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.