Malicious PDF — malware analysis report

Static analysis result for SHA-256 a71c8fdc5714554e…

MALICIOUS

PDF

74.6 KB Created: 2021-06-01 04:57:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: daaa9bf038dfd6352d4450efba0eb3a9 SHA-1: 1797be842f35d997b228b2f6191dec6c7961e128 SHA-256: a71c8fdc5714554ea195e0ad4b232ff3f89e9383ed8698621bc26ad6c69d5aff
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to PDF files hosted on file-sharing services, suggesting a link farm or redirection mechanism. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to download an archive and provides a password, a common tactic to bypass gateway security. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=isunshare+windows+10+password+genius+free+download
    • https://jewevugaxezi.weebly.com/uploads/1/3/5/9/135967143/822c73e.pdf
    • https://dujapiloxi.weebly.com/uploads/1/3/1/8/131857305/8661381.pdf
    • https://cdn-cms.f-static.net/uploads/4467979/normal_604832e3cd8df.pdf
    • https://cdn-cms.f-static.net/uploads/4474448/normal_5fd62848abca2.pdf
    • https://givodopularolot.weebly.com/uploads/1/3/7/5/137508410/mijimutaxek.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e5ff324e-9535-40ef-b3d1-254c1e9ebb20/59587162234.pdf
    • https://uploads.strikinglycdn.com/files/de7a5f36-ccd4-4eb1-af6b-fca59f73ca14/excelsior_mn_flower_shops.pdf
    • http://tisowowuduwe.pbworks.com/w/file/fetch/144419148/nuwawujubibokokedadekuf.pdf
    • https://uploads.strikinglycdn.com/files/53f96f19-3045-447c-b7b5-50b2ef2d57b1/millennium_lo_que_no_te_mata_te_hace_ms_fuerte_pelicula_wikipedia.pdf
    • http://gatasulupu.pbworks.com/f/interview_questions_for_financial_analyst_position_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/2d891579-688d-4afe-8a1d-d97fe17be068/hamilton_beach_2_way_flexbrew_49976_reviews.pdf
    • http://ziduzobif.pbworks.com/f/how_much_did_the_movie_wonder_woman_make.pdf
    • https://uploads.strikinglycdn.com/files/cd5b1794-d60c-464a-af33-180b45642ee1/79905695599.pdf
    • https://uploads.strikinglycdn.com/files/8e7ac7a9-8024-47fa-9468-3b5ae9289b94/how_many_calories_are_in_subway_oatmeal_cookie.pdf
    • https://uploads.strikinglycdn.com/files/8bd7283b-4c8a-4f9b-a196-f446d181f877/free_ielts_writing_task_1_samples_with_answers.pdf
    • https://uploads.strikinglycdn.com/files/12085e88-4cf7-4d6f-84db-f25eac94913d/what_is_the_14_book_of_diary_of_a_wimpy_kid.pdf
    • https://uploads.strikinglycdn.com/files/a18a7923-3b0a-4e69-b500-4e772f9b7a7c/captain_underpants_the_first_epic_movie_on_netflix.pdf
    • https://uploads.strikinglycdn.com/files/ffd186b7-98f1-46de-8e00-5ab432e6860b/68064603997.pdf
    • https://uploads.strikinglycdn.com/files/75cc6663-ef90-4ff7-8413-50ddbc7fb660/texamemalosidajemufizitev.pdf
    • https://uploads.strikinglycdn.com/files/17ee833a-8cdb-43f4-aa8d-62e133911530/deligogafabage.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e23e.bin
054eeda7a4549963695975ba2719c1208e2831c17c48da47d49004f6a3331658		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE23E 5528 bytes
font_01_sfnt_off0000f51f.bin
b584206ac37ee3bed37ff25e22777193d636e20658aa68b4d03c94cef3047fbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF51F 11300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.