Malicious PDF — malware analysis report

Static analysis result for SHA-256 a29f2a38b05ada44…

MALICIOUS

PDF

74.1 KB Created: 2021-06-01 05:59:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b82fd96d01a30cc322f4f45d0c0294b SHA-1: 77abec42579a9c7849f3aced5245f7f39ab06e4c SHA-256: a29f2a38b05ada44bf8c3d64ccf3b9c8eda64080677ac58e9c9f073eee4623d7
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external links, many hosted on disposable domains, suggesting a link farm used for redirection. The document body, though heavily obfuscated, appears to be a lure related to drawing tutorials, which is a common tactic for phishing or malware distribution. The presence of embedded URLs and the overall structure point towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=how+to+draw+a+butterfly+outline+step+by+step
    • https://lemisisax.weebly.com/uploads/1/3/4/4/134494561/59dcba8e73.pdf
    • https://cdn-cms.f-static.net/uploads/4375339/normal_60112eeadaa5d.pdf
    • https://tivubolo.weebly.com/uploads/1/3/1/8/131857038/3586341.pdf
    • https://soseriwu.weebly.com/uploads/1/3/4/8/134898980/pulekewezup.pdf
    • https://cdn-cms.f-static.net/uploads/4366360/normal_606dec1a765d1.pdf
    • https://pobowapikojuga.weebly.com/uploads/1/3/4/9/134903403/86b32302ce7.pdf
    • https://wajupinafuju.weebly.com/uploads/1/3/4/7/134752356/4692573.pdf
    • https://xemudimiju.weebly.com/uploads/1/3/4/8/134861016/pizajan_jabegu.pdf
    • https://static.s123-cdn-static-d.com/uploads/4496616/normal_60b58477bc839.pdf
    • https://cdn-cms.f-static.net/uploads/4416327/normal_602116f26ea02.pdf
    • https://static.s123-cdn-static.com/uploads/4388160/normal_600820a8abaef.pdf
    • https://cdn-cms.f-static.net/uploads/4373985/normal_60616a4dc032d.pdf
    • https://cdn-cms.f-static.net/uploads/4389801/normal_5fe96293be64c.pdf
    • https://xulasimij.weebly.com/uploads/1/3/2/8/132814518/bisafosuzekuxi-bakulalixot-tewize-lumurix.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9bcb4ffb-6e8d-4dc2-91b9-0051718ca9cd/use_of_multiple_intelligences_in_the_classroom_ppt.pdf
    • https://uploads.strikinglycdn.com/files/45c13a6a-d55e-4426-bad7-4f597b6dab17/16716661255.pdf
    • https://uploads.strikinglycdn.com/files/8348edfb-19fc-493f-9410-68f0084a19a3/what_does_a_ssa_1099_look_like.pdf
    • https://uploads.strikinglycdn.com/files/7835e638-6657-44d1-8af7-35e7cad52986/boxogoxadeg.pdf
    • https://uploads.strikinglycdn.com/files/c4ee9e79-f59c-4f81-8a6b-c8afd9fad478/zexuduti.pdf
    • https://uploads.strikinglycdn.com/files/d79bb1e2-0583-4cb9-b649-b06b3188f52c/fodivibasomolupebe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2e0.bin
2f885bf614fca6d00e4f39ec849d16d72566d4747a6a9378b3de1af1437f95b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E0 5332 bytes
font_01_sfnt_off0000f51c.bin
b990a0c2cfbfb2f05deb71853aec5a07d1d76bdf0fadc7f4875e5b282647f622		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF51C 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.