Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9b09ff07d94966e…

MALICIOUS

PDF

70.3 KB Created: 2021-03-18 23:42:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d842661d43b87d153e05213e7805e242 SHA-1: 25ae1ed6f9945ae34294febf74f7de45607bf27c SHA-256: a9b09ff07d94966e505f628ec7654dfccc985611ce904db0e9aebf5ecb6da151
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used for SEO poisoning or phishing. The heuristic 'PDF_SEO_LINK_FARM' specifically indicates a large number of external links, with one pointing to 'https://maypoin.ru/wix?keyword=i+almost+do+song+lyrics'. The ClamAV detection and ML classifier also strongly indicate maliciousness, classifying it as a phishing trojan. No scripts were extracted, but the overall structure and link farm suggest a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=i+almost+do+song+lyrics
    • http://puximosuse.iblogger.org/bonutobujexijinomuti.pdf
    • http://vuvabadiredowa.getenjoyment.net/college_application_process.pdf
    • http://xijulefabogi.getenjoyment.net/31258199814.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_9cbc1d876412466ca555efd5bc02d268.pdf?index=true
    • http://zaxukesaludu.epizy.com/android_1_modded_apks.pdf
    • http://motuvogipe.onlinewebshop.net/vosemomeni.pdf
    • https://s3.amazonaws.com/tinezedu/68635010735.pdf
    • https://uploads.strikinglycdn.com/files/b0ee4b1c-b8b5-4823-9acb-08bdbd7f3b52/finugeselepepojale.pdf
    • https://e02212b7-c8ec-4bf5-ba3e-d68a1de675e0.filesusr.com/ugd/7f1d73_d3d7dee87f9a440bb6453557d16e083b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0d37cd71-f997-43ea-9172-232f8e042ccc/homelite_blower_vac.pdf
    • https://uploads.strikinglycdn.com/files/893bde6e-c701-405f-a577-2a8018d197ef/difference_between_evaluation_examine_and_assessment.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_bf91d0c203fa40c8bf4c58a49b10964a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d0416aa0-5cca-47a3-9b10-b49441a297f2/tezavakutowunasaxuf.pdf
    • https://uploads.strikinglycdn.com/files/32a23827-946c-4050-8c10-3a04e8ff6f63/xejoxunoripo.pdf
    • https://uploads.strikinglycdn.com/files/e9b483fa-eeab-4852-abac-41371885add0/68073834560.pdf
    • https://uploads.strikinglycdn.com/files/048f0158-a90f-4be4-a8b6-c4eb73c613a9/a_raisin_in_the_sun_summary_act_1_scene_2.pdf
    • https://s3.amazonaws.com/lijopavexanuse/nikirutavuwose.pdf
    • https://s3.amazonaws.com/xumakomowi/bifesta_cleansing_sheet_enrich.pdf
    • https://0621cc9e-6449-4e8a-a8bd-baee9ad62a2c.filesusr.com/ugd/affb4a_0083fc5d72fa48a292c97772d8ffa2f3.pdf?index=true
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_cab2e4a1d5d74d83826fdb557eff3e7f.pdf?index=true
    • http://raxegujanamefas.atwebpages.com/chhattisgarh_map_blank.pdf
    • https://uploads.strikinglycdn.com/files/6a55575d-ad31-475f-ba95-3f438436326d/voxoziraleximeti.pdf
    • https://uploads.strikinglycdn.com/files/588529cd-f5a6-49f6-87eb-69b1ba3794f1/epson_perfection_v550_photo_review.pdf
    • https://uploads.strikinglycdn.com/files/144c6b23-ad7b-418f-9b8c-f2de01080cd2/how_to_spot_a_fake_baofeng_uv-5r.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d781.bin
a06a19019a0d74fa71720e02490908e8577787ecd1a1c44667e9a2461e442d5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD781 5296 bytes
font_01_sfnt_off0000e977.bin
9c8f3716cd6e3cbfe0477495ddd6be99df001324eabc17a8f23537143298187a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE977 10404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.