Malicious PDF — malware analysis report

Static analysis result for SHA-256 a166e8dc960b23e0…

MALICIOUS

PDF

136.1 KB Created: 2021-04-01 08:26:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bbfc8ce397dd1d8e42fbbdb4ad5e08b SHA-1: d35d04cf542db4474bf6b7e625e8d619c615e45b SHA-256: a166e8dc960b23e0af8a9b09bc8212658b208f73f19af80613d273f61ee2667b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and a machine learning classifier indicated a high probability of maliciousness. It contains numerous external links, with a critical heuristic identifying a 'PDF_SEO_LINK_FARM' suggesting an attempt to generate traffic or distribute malicious content. The primary external URI, 'https://xezojetit.ru/123?utm_term=shinchan+tamil+movie', is likely the intended destination for the user, potentially leading to phishing or malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=shinchan+tamil+movie
    • https://cdn-cms.f-static.net/uploads/4371809/normal_601aa901f26ed.pdf
    • http://yourlivehelp.com/maserati_quattroporte_2012_new_pricehm3nk.pdf
    • https://static.s123-cdn-static.com/uploads/4380214/normal_5ff60f425f698.pdf
    • https://cdn-cms.f-static.net/uploads/4467038/normal_60532c708be27.pdf
    • http://cherrypimp.online/free_printable_template_bookmarksc7pws.pdf
    • https://cdn-cms.f-static.net/uploads/4376629/normal_601958495b6e0.pdf
    • https://cdn-cms.f-static.net/uploads/4384152/normal_5fe7b96ead317.pdf
    • https://cdn-cms.f-static.net/uploads/4374536/normal_601be214cd077.pdf
    • https://static.s123-cdn-static.com/uploads/4459628/normal_6000bbecaf7c2.pdf
    • https://static.s123-cdn-static.com/uploads/4418574/normal_5fdd7c18b6e5c.pdf
    • https://static.s123-cdn-static.com/uploads/4462345/normal_5ffec1c82f47f.pdf
    • https://static.s123-cdn-static.com/uploads/4489988/normal_5ff90d1473206.pdf
    • https://cdn-cms.f-static.net/uploads/4458389/normal_5feaf078df49e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://43081b45-6e48-4b43-b724-9328fda377ae.filesusr.com/ugd/26481d_fcf41c301185418e9f1bed8577a4e63b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/58251859-c069-4630-86a8-69622981f1ce/lincoln_225_arc_welder_wiring_diagram.pdf
    • https://89f68ddc-9f98-4e60-8afa-3e0ca6603e9e.filesusr.com/ugd/4725f1_47c4481d6cce4f5fabe88ec6617fe9c6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c337e9a4-6b2b-422c-958c-5d349b051d52/taurus_800_series_45.pdf
    • https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_6ed736f354844dad907b2d9cd1df6e9f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8dbe77eb-3922-460d-8816-17e761cd04bb/97564149755.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4c5.bin
4912f10e1f14e30c799082371d7a62e2c5210b48699195ab118400fe3ff592f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4C5 63488 bytes
font_01_sfnt_off0001b603.bin
55993779b3ae209d53aa9e498568b0a7ddd523951be27ce4a2af0687575908a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B603 4716 bytes
font_02_sfnt_off0001c5ca.bin
e5505df435babb689c81f1a6ebf0867928509981afdf05584dd70ef15979eda0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C5CA 12356 bytes
font_03_sfnt_off0001ede6.bin
60f53b17f7925ac1818ac9336ea58fd206fea48872b5377b70e6fb8114080afd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EDE6 16132 bytes
font_04_sfnt_off000202d9.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x202D9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.