Malicious PDF — malware analysis report

Static analysis result for SHA-256 aedce8bbe5a046ee…

MALICIOUS

PDF

74.8 KB Created: 2021-04-11 14:56:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8793a7c3cb3caf97a49ae7e01631766b SHA-1: 95559498720f710b1196b7b7efe20a9211d6b851 SHA-256: aedce8bbe5a046ee2e5e6d11d3fef9e03129827c9926ebbc1767f786ab1ae4df
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily garbled, contains a technical query that is likely used as a lure to disguise the malicious nature of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+do+i+charge+my+rca+tablet
    • https://lifezudo.weebly.com/uploads/1/3/0/7/130739479/lorebateb_xenesevopi_pipapazezo.pdf
    • https://tojaxufuvubugo.weebly.com/uploads/1/3/4/6/134641466/208838.pdf
    • https://palogipotutaz.weebly.com/uploads/1/3/2/8/132814365/8653404.pdf
    • https://cdn-cms.f-static.net/uploads/4384832/normal_60495054e042c.pdf
    • https://vevavosabiwebe.weebly.com/uploads/1/3/4/3/134349804/44c48e4c71d9d.pdf
    • https://cdn-cms.f-static.net/uploads/4455390/normal_6027bee050bda.pdf
    • https://cdn-cms.f-static.net/uploads/4371806/normal_602429b5b4d3e.pdf
    • https://loleritukala.weebly.com/uploads/1/3/0/9/130969936/jamigefapoj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f37c3615-20b0-4e70-b1e7-2acf34113780.filesusr.com/ugd/1e533a_8490b1e4b7404c02bc1123dccd23745c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f662615a-a158-46b2-a56f-8969363b513c/how_do_you_set_the_ranco_electronic_temperature_control.pdf
    • https://6cf80756-66c2-4d2e-b15d-ff1677cb7115.filesusr.com/ugd/2257e8_435a47aefa9241dc8e6bfac7329590cc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f7eb6ac7-1d89-426c-8636-9b710574c419/leer_la_biblia_catolica_en_linea.pdf
    • https://uploads.strikinglycdn.com/files/5ea4ec87-539c-49bd-938f-595cd14d1e50/miguzigimamuzilisog.pdf
    • https://uploads.strikinglycdn.com/files/06acdf77-89ce-4842-9057-89459eb23d6e/how_to_do_nursing_dosage_calculations.pdf
    • https://e50eee24-2d95-422d-8083-6f618d95927b.filesusr.com/ugd/594ae5_e9614843da4e49528d2c8799dda7d800.pdf?index=true
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_8e60384fd6464e4f8cd50d20a66dbb8f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c3e58b94-8a05-4a2f-9c79-a2b07a3accf4/d_and_d_auto_clinic.pdf
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_f8d035abe6bb48bdaf36de7e497e71e3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/efe103eb-e1c0-4e23-9060-40bd7d26724d/nanijisuzavuroro.pdf
    • https://uploads.strikinglycdn.com/files/b12f0a41-0661-4184-a718-087fa0b691e6/georgia_drivers_license_format.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e392.bin
7a729b9e5c5558f50c7c4d59711190032201ff035d4a9646a326bcf512667dd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE392 5468 bytes
font_01_sfnt_off0000f617.bin
cf912a2a9c90310ab91ff0536f5fdac6e8df2926459b374a5680452e490225b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF617 11724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.