Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa793ba714a1b30e…

MALICIOUS

PDF

174.8 KB Created: 2021-06-04 01:15:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: adaf77d960d65c9bf0e5b1390816e868 SHA-1: deced571ce03882e37232593cde9361971778c54 SHA-256: aa793ba714a1b30e872fd5d83045a5bb7c124c9843dcd33749c2d54aff79c982
126 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. It contains numerous external URIs, with one pointing to a suspicious domain (jumiwimov.ru) that is likely part of a link farm designed to redirect users. The document body, though heavily obfuscated, appears to be a lure related to nursing training, aiming to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9930

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=memoire+formation+aide+soignante PDF link annotation
    • https://pokifuduxorimib.weebly.com/uploads/1/3/4/5/134501468/1224933.pdfIn PDF document text
    • https://felekiki.weebly.com/uploads/1/3/4/6/134689652/kofatubasuso_mutokeli.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457862/normal_605aef8bcb668.pdfIn PDF document text
    • https://tokubarip.weebly.com/uploads/1/3/1/3/131380438/64ed47dacba37bd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374196/normal_6023f19423d32.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393761/normal_5ff5f20832cef.pdfIn PDF document text
    • https://gakefutafo.weebly.com/uploads/1/3/0/7/130739004/jevupilifinomoj.pdfIn PDF document text
    • https://nuruvubapifak.weebly.com/uploads/1/3/1/4/131452890/fidov.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/72217e3e-6bfc-4403-a47b-7154f560079a/toms_shoes_ethics_case_study.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a33ff3a7-45ea-4dd3-8d76-377a01d02e13/van_ejercicios_resueltos_excel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc745c01-4ec3-4971-8e56-8339468bb805/forklift_truck_classes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/757b3956-a028-4828-a6df-a6720b437be8/35139683349.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/098afc41-b300-4923-8651-f6f873f0de7b/application_layer_tcp_ip_vs_osi_model.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/426368a0-e77e-4e7f-a5ce-02ad8b84c333/13539383653.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b0f125f-7d41-4ef7-ad53-1452df1ca940/dexobitomumulu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85437a70-b7c4-4bc9-a321-4edcb9780a6e/saxolafi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20a746a7-7c06-41a8-ab79-24a329b8d0dc/what_are_the_four_critical_thinking_skills.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9a238ceb-fa02-417a-9088-f89dd96fa74b/chamberlain_hd900d_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d8db89c-7f5d-4983-bd36-c4d45a818609/yearly_budget_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/878f6be6-20d6-47a8-aa0b-1fa15ece77ca/logirinepera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3119033f-ee00-42fa-aa8a-b2804da2dc4d/80533239262.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2c87c3f-70d4-4e64-bd37-a84c82c92fe7/xubebekevojozoxab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9aee43d1-33ed-47c5-b1cc-4abaecd23607/tunapapopexawuxalu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eac3ec38-c868-4947-a0a4-cc8f194856d4/47624123587.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024615.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24615 2220 bytes
SHA-256: 498a67be6f2aebe11e215cdeafcc65d9bb7e5351d5970318b6fa7ab65d29d536
font_01_sfnt_off00024fd4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24FD4 5200 bytes
SHA-256: e986b8a4fccdf7a5a5f5d4f2e9f7c8dade0ba0fc15411fc0fc57da2051da36d6
font_02_sfnt_off00026177.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26177 14976 bytes
SHA-256: f90d6c3932e262a6c2a1c76a89369215ea9723607c678527a34006f559b68334
font_03_sfnt_off00029059.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29059 17284 bytes
SHA-256: 058b88ab4e75b827ac53dcb64670da720466c919a464a950574a231663d5d407

Open this report in the interactive analyzer, or submit your own file for analysis.