Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad0fe7fcf155ea8a…

MALICIOUS

PDF

84.5 KB Created: 2021-03-16 03:31:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6520dd70a123df2de274bd4a43fd062b SHA-1: 350a7ba9528f234e1fe00bff102816228e94cdfa SHA-256: ad0fe7fcf155ea8a389cb06344f82b48a952d348c9a819f72df03bb6bb111414
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or scam campaign, leveraging a link farm to redirect users to potentially malicious external sites. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of generated links, suggesting an attempt to manipulate search engine results or distribute malware. The presence of multiple external URIs, including one with a keyword that appears to be a lure, supports this assessment. No scripts were extracted from this sample, but the structure and embedded URLs point towards a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=57+hv+brain+teaser+answer
    • https://cdn.sqhk.co/xupodafib/R0k2gdY/ludakegasafafoli.pdf
    • https://cdn.sqhk.co/gapebeve/1vgfjfY/shark_fishing_old_school_runescape.pdf
    • http://letnesil.xyz/como_crear_un_con_imagenes_en_mac4cmx9.pdf
    • https://cdn.sqhk.co/figesuweno/biihfKF/word_brain_game_free_for_pc.pdf
    • http://gotesesevuzi.iblogger.org/battery_status_bar.pdf
    • https://cdn.sqhk.co/vomuvojovi/hhj27FH/76529513115.pdf
    • http://videohost.space/dixie_chopper_servicehi0ii.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fapaga/81042268154.pdf
    • https://s3.amazonaws.com/bulozor/adjournment_application_under_crpc_format.pdf
    • https://972af30b-04c2-4618-b911-83ba0b7fef9e.filesusr.com/ugd/84a5c6_c1376b8a9c9f4474afe5b811177bdf17.pdf?index=true
    • https://uploads.strikinglycdn.com/files/91c38361-9b87-43a4-9e3f-5e5e459fc592/vonazinizizagorenuta.pdf
    • https://uploads.strikinglycdn.com/files/96071b0d-81ce-4956-85e0-8ce6b700f0e0/83801766805.pdf
    • https://6afed14e-2b01-442b-8c2e-11a8a6f39965.filesusr.com/ugd/46a5ae_7f54bffaa9184d2cb15e98abf979a34f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/56060256-3079-4de5-8605-fd3dc3d858f1/a_series_of_unfortunate_events_library_quotes.pdf
    • https://dd907c4b-492b-4b4d-bf3c-9f0b7a2bd2c7.filesusr.com/ugd/96a426_35e7112d0bce46a2b576083ec65f743b.pdf?index=true
    • https://7ae52be2-ba3c-41fb-8935-29281088223e.filesusr.com/ugd/affaa6_14b59e6e73094e11b4bd5e702a6ded52.pdf?index=true
    • http://pefemopu.epizy.com/modifying_comparatives_and_superlatives_worksheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f737.bin
8b52ae4a5cb6dd5bfeeee196835ef30234bdf01ac4d25970ceab7da5198aabd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF737 5144 bytes
font_01_sfnt_off000108ca.bin
aecc20f5883d8ea85d5226807b81cbdfd66e14a5bd07903ca4cc8a1e684f79a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108CA 11324 bytes
font_02_sfnt_off00012f93.bin
a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F93 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.