Malicious PDF — malware analysis report

Static analysis result for SHA-256 a251d5fa1a0f0c90…

MALICIOUS

PDF

83.8 KB Created: 2021-03-25 10:10:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d54b2e5872865e6a47c05d3db4103895 SHA-1: 7b700187ea0ddceaffa9f3d8e4160c653d78b67a SHA-256: a251d5fa1a0f0c90c93e11d71b43809524f4d817991f8a9d23c5d76f39f0b001
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO poisoning or phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' and the presence of many external URLs strongly suggest this malicious intent. The ClamAV detection and ML classifier further confirm its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=parallel+lines+and+triangles+worksheet
    • https://mopirolelawa.weebly.com/uploads/1/3/4/0/134012876/kakijakabas-tavekanisuta-relajuwasemo.pdf
    • http://shortsomfj.space/63681030186r7u2r.pdf
    • http://burrrhey.tech/97245562499mvue9.pdf
    • http://mangalvpodarok.ru/326277113466elmf.pdf
    • https://kolajinetam.weebly.com/uploads/1/3/4/5/134584148/6214841.pdf
    • http://presentinsta.online/clash_royale_apk_mod_elixir_infinitozgx50.pdf
    • https://biwakegexenulu.weebly.com/uploads/1/3/4/4/134437141/xesuwipekeroro.pdf
    • https://lutavazakagege.weebly.com/uploads/1/3/1/3/131398084/kebaxudem.pdf
    • https://kesakoti.weebly.com/uploads/1/3/1/0/131070149/tafinulifofo.pdf
    • http://psylath.com/jilodojurid5l1m0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a12a05ab-6462-4855-b086-b0a2a961d6d8.filesusr.com/ugd/2c76f4_1b7b1132f955465aa3773c645af900a6.pdf?index=true
    • https://c0cead0d-5248-483d-940e-95cc3acd9bde.filesusr.com/ugd/20d83a_f4a5e57fa1664012884c8f09104bc0e9.pdf?index=true
    • https://aa700e4b-9450-4a85-8b7e-8c92ffe47626.filesusr.com/ugd/de972d_8848a510b329452cb449243a563034d9.pdf?index=true
    • https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_55d2bf6fa20a424793b973265f5dc0de.pdf?index=true
    • https://c09438b0-f1cf-4ade-afa2-d322e048c450.filesusr.com/ugd/313cc6_f198a5276c2c4ab88ccdd4c743d35672.pdf?index=true
    • https://dba0ca6b-c979-46b3-87c9-041648dee063.filesusr.com/ugd/6f58fb_e98b75b94bc64920b673916779e768f6.pdf?index=true
    • https://0a3c8164-ddd9-4522-8472-457ce31ece15.filesusr.com/ugd/d32f78_467ed2c832f542b59ee760632f0dca5b.pdf?index=true
    • https://cc46d2ba-e7cf-42f8-aa62-b015a0c17ef0.filesusr.com/ugd/d180c3_41550ddbf5bf47c3933a5a0d65ec87fa.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_07a9d0dcb99f426a81f339c311f1aa22.pdf?index=true
    • https://a519209a-2b0a-481f-9fe9-460c873bdc80.filesusr.com/ugd/270e53_36e4de3477ca42e7bcbfa9df49a004e7.pdf?index=true
    • https://abaaaae4-9231-44fc-b12c-ad55ebcc68e7.filesusr.com/ugd/2ca09c_7561d0fbc16646afadb25f967d985c89.pdf?index=true
    • https://aa4c2489-c93b-4667-afab-104bf5323bad.filesusr.com/ugd/8b49c6_6b82ee3c69784a8dbcd57efdb82d6115.pdf?index=true
    • https://f3215690-35ba-4bce-915f-db1a6f912a1b.filesusr.com/ugd/d32599_903e733b88ae44cd9df65243dd17e31a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ae1.bin
1661d3c3c5d3a34259f6c8b6ea6d9e5149ff01d06368c6da663ab279cf453a9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AE1 5244 bytes
font_01_sfnt_off00011cbd.bin
9fb3e8cc20d5c06dc0ff2c15ee3a8c109600c7897053911c152146e4a6a83eac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CBD 10956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.