Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5ca2ab645ca6bef…

MALICIOUS

PDF

74.3 KB Created: 2021-04-06 04:39:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f9765bfc8c3891172e5ea478f726175 SHA-1: 86c9cf7d59f121d234509c66e57edf072bda44bc SHA-256: a5ca2ab645ca6bef264adda3c34cffb8513989ab205ea81afccbc21b3b2218b1
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file exhibits characteristics of a phishing or malware distribution lure, as indicated by the 'PDF_SEO_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' heuristics. The document contains numerous external links, with one prominent URL being https://crophysi.ru/123?utm_term=free+dictionary++for+pc+windows+10, suggesting an attempt to redirect users to potentially malicious content. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic further suggests that the document may be part of a multi-stage attack, possibly instructing users to open a password-protected archive containing a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/123?utm_term=free+dictionary++for+pc+windows+10
    • http://requiremcgood.com/rarak3qgyf.pdf
    • http://megalit-korolev.ru/todixesarugxd6si.pdf
    • http://meetsol.xyz/zizurijufevoloxuhvrnr.pdf
    • https://tajafakedebufu.weebly.com/uploads/1/3/1/4/131438499/638de955.pdf
    • http://opt05.ru/roland_spd-sx_special_edition_reviewe1irm.pdf
    • https://padukasafif.weebly.com/uploads/1/3/4/4/134404544/jiridite_nubefidafede_bexonusiw.pdf
    • http://50offstore.pro/just_2_words_puzzle_1096zs9af.pdf
    • http://securespot.ru/world_physical_map_blank_a4_sizeyr47e.pdf
    • http://idealicaitalia-official.site/4fun_app_downloadyz43g.pdf
    • https://donokodupotev.weebly.com/uploads/1/3/4/3/134317189/genenup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://34ec465e-51aa-4dba-9a8c-c05fcfb5ae84.filesusr.com/ugd/df15ee_b1d5d8b07e0744a4bcce8ad2d6cb0056.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b148bd9c-516b-4143-b4d4-9371989a45e8/migokeres.pdf
    • https://uploads.strikinglycdn.com/files/53cbaf22-b4df-4a8c-a3af-38b71644a7ba/26356682429.pdf
    • https://535a9070-e28a-464b-adc5-c02ad08be00b.filesusr.com/ugd/9df9d6_273ca50c6c53424a8d104a7aaa5c0626.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8c25d61f-f640-4390-bdf3-60160918a864/what_is_the_formula_in_finding_the_sum_of_geometric_sequence.pdf
    • https://uploads.strikinglycdn.com/files/f9f23584-3f01-454e-995d-969473917158/adobe_flash_professional_cs3_free_download_full_version_with_crack.pdf
    • https://uploads.strikinglycdn.com/files/6aaa1bc2-0ac2-4535-9ee1-584fe225fbca/betty_crocker_cookbook_1950_1st_edition.pdf
    • https://uploads.strikinglycdn.com/files/f53d3831-3cee-4a1c-84c6-2339414e0773/how_to_map_an_image_in_photoshop.pdf
    • https://uploads.strikinglycdn.com/files/2b99ba40-773b-4dc6-bca0-e58810a1bea0/69600566855.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e53b.bin
99467f878a6db6939c4163ca1eb15c46e61e75e19fd38772d7e9bb7af9ce3f5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE53B 5460 bytes
font_01_sfnt_off0000f803.bin
4629511aed21181c6b3027b9b60d634455ed08cf25564decc2f2886b40842844		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF803 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.