Malicious PDF — malware analysis report

Static analysis result for SHA-256 a26a4a157a80b86d…

MALICIOUS

PDF

75.9 KB Created: 2021-03-24 02:17:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60e297050a62995e3c080b34b8eb868d SHA-1: 0de5cbca05386aafd39e852b9bcc2ac3347e8268 SHA-256: a26a4a157a80b86d1e3c2c766958f4c108bd8a09b7ff1016f78e83a3c5705e4d
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The heuristic 'PDF_SEO_LINK_FARM' and the presence of many URLs indicate a phishing or malicious redirection attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=rinoskopi+anterior+adalah+pdf
    • http://kavizubi.iblogger.org/advantages_of_using_a_questionnaire.pdf
    • http://jesopejasunu.22web.org/equivalent_fractions_1_2_worksheet.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://160e4e15-e27a-4ef2-9b26-f67fc0969a86.filesusr.com/ugd/cbdbb6_89885010f27145128d232b80f5b35fbb.pdf?index=true
    • https://627f215e-41ba-4aa4-9906-5f9f9d117739.filesusr.com/ugd/8ab72e_f326076dc47d42e187d6242be5d843a1.pdf?index=true
    • http://xubawebilakode.rf.gd/12496808157.pdf
    • https://3c3bf0af-c02c-43ee-ab56-a2e3f1f4987d.filesusr.com/ugd/97f7bb_e28d58a7503c4088b4358ea1796c2e33.pdf?index=true
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_844aec64b6714f96b18f9c8c3145af33.pdf?index=true
    • https://0816b8db-db6e-4af9-a106-1766ff0f8d73.filesusr.com/ugd/06e6c8_3aee0d9b5dfc4395a6f17783dc0004dd.pdf?index=true
    • https://s3.amazonaws.com/meludav/step_up_kitchen_helper_red_guidecraft.pdf
    • https://c9b0c9dc-51ad-46ec-84b2-dbc26df53712.filesusr.com/ugd/b6f588_22e1ec27c3184fd1b469496e7cf6a559.pdf?index=true
    • https://da4cb982-96ac-4827-b01c-1601b1c9977c.filesusr.com/ugd/b05c40_1693b69310a34760ba0bf01a980a6cec.pdf?index=true
    • https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_54d9b914720b417c88aa21a65ca8a005.pdf?index=true
    • https://f7cac2f2-528f-490f-9bef-cb2448a877de.filesusr.com/ugd/529ba0_eb63d016aa294904b76eb289ce455846.pdf?index=true
    • https://73a1781f-5c9f-4c76-8a11-a8e8c44f336a.filesusr.com/ugd/d9f7b5_60127673e6e04a559598635e93043c59.pdf?index=true
    • https://s3.amazonaws.com/bisapovepizaj/windows_powershell_3.0_step_by_step_free_download.pdf
    • https://eadb47d6-6712-4ecd-aa5a-2cdcf2d90b86.filesusr.com/ugd/c844bf_48001124daab440eb0e37b0e6c065e8c.pdf?index=true
    • https://793776f3-68b4-44d3-947a-596ce2c6f652.filesusr.com/ugd/4e977a_52dc1a6fba504a078e6515762bedf74f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea0e.bin
5575b929fbbdad4de987ba353839c452568f1cbf9c691de2a300e800c10983fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA0E 5200 bytes
font_01_sfnt_off0000fbbf.bin
ef15cb66e61b5ce2bdf45b0ea4b559771ec55b504dc31fb9fc7e40da0a47445f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBBF 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.