Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab1898b20bc5a53c…

MALICIOUS

PDF

131.4 KB Created: 2021-03-20 08:05:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3cdd2ae1b3ae5a64f207513715cdf7e SHA-1: 452fba4412fe2308a6d4447f72bfe3f79722d782 SHA-256: ab1898b20bc5a53c56a34fb85e2b066bf7ae7b296b40e3b69905e1778a0a6059
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used to redirect users to malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically identified as phishing or a trojan. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic confirm the attempt to direct users to external resources, likely for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=kiran+bedi+information+in+marathi
    • https://xibatelilon.weebly.com/uploads/1/3/1/6/131637149/39100227f.pdf
    • https://damemerivojed.weebly.com/uploads/1/3/4/3/134378109/vesasalabura.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://667b589a-70dd-4c78-a03f-47f6e9f07b1f.filesusr.com/ugd/db80c5_a0291a8a3b764ee494a598d548d53635.pdf?index=true
    • https://s3.amazonaws.com/tapexiw/lista_de_alimentos_transgenicos.pdf
    • https://uploads.strikinglycdn.com/files/161df33d-e14c-4afc-87aa-6456f64b2084/sims_3_macbook_cc.pdf
    • https://s3.amazonaws.com/gogonof/datidivilinizonepigiw.pdf
    • https://s3.amazonaws.com/timeziso/acceptable_levels_of_coliform_in_well_water.pdf
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_e5981c378d994346a3b49ed3b26e96c8.pdf?index=true
    • https://01477de9-116b-42a6-a62c-54244336611e.filesusr.com/ugd/dea9e9_6311c37b9d664ab8848861f621a15b5d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/596b187d-dc94-40c8-bc43-0f7a6db680dc/amana_washer_wont_drain.pdf
    • https://s3.amazonaws.com/donake/89995109400.pdf
    • https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_ec4c68b17a3040669f00e3240ebe9371.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f696ba8f-a436-4b26-abff-a8dc08f4056b/2990301170.pdf
    • https://s3.amazonaws.com/wujapu/astroneer_gateway_engine_guide.pdf
    • https://s3.amazonaws.com/tosevud/genukupuxawadeb.pdf
    • https://uploads.strikinglycdn.com/files/79c6da23-f487-4c70-8cf9-c22b1627af3b/rheem_electric_hot_water_heater_home_depot.pdf
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_e7cbbc91bc0341c9bb74e846ec6aecc7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6545627-d55f-44d2-aa6d-d6a18b061cfa/22400108119.pdf
    • https://s3.amazonaws.com/vawoginele/71310453144.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001b812.bin
4cb85182fe65d4821482ac8848e681efa3c97766913b832295bfbb2b24864c47		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B812 25528 bytes
font_00_sfnt_off000181fc.bin
5dd6fb5229a201348ef8ed01d5454d4790ccfc86da8ba8c78b1e7c72aeacc296		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181FC 5044 bytes
font_01_sfnt_off000192fe.bin
daba2710271e7ebc283a5cec1a6fd6c91263c81cd9b2cddde621f64e16d3e782		 pdf-font-stream PDF embedded font (sfnt) at offset 0x192FE 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.