Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0704e77583cf5af…

MALICIOUS

PDF

105.3 KB Created: 2021-05-25 02:05:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37b0b263f2d2a71172f6b6f16324039c SHA-1: 779f9f0823a8ebeeff4fa4b8509620c66c303e1c SHA-256: b0704e77583cf5afb788f50eccb6f1eb4aefe1213d4f47c204ab3df26b0f7835
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL leading to a site that appears to be part of a link farm designed to attract traffic. ClamAV and ML classifiers strongly indicate maliciousness, specifically identifying it as a phishing trojan. The embedded content, though heavily obfuscated, suggests an attempt to redirect the user to a malicious domain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=tim+ferriss+4+hour+work+week+worksheet
    • https://panikelixiguju.weebly.com/uploads/1/3/4/4/134478359/cc4cc66a.pdf
    • https://tedozumezefa.weebly.com/uploads/1/3/2/7/132740670/nejutewavesetikad.pdf
    • https://vuxosulaleko.weebly.com/uploads/1/3/2/6/132695375/683453.pdf
    • https://rijifupipi.weebly.com/uploads/1/3/1/4/131453414/fbfdc730244c2c.pdf
    • https://vifojozajo.weebly.com/uploads/1/3/1/4/131454549/rotigirokunotoroke.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4cedb7f3-c6d4-4792-aeaa-17c8004ce3e4/wayne_dyer_the_shift.pdf
    • https://uploads.strikinglycdn.com/files/867ba1a6-fc3e-4de5-a48e-3be828c7126d/delonghi_dragon_heater_manual.pdf
    • https://uploads.strikinglycdn.com/files/3a6ffde1-baa8-4cf4-aeff-f1df1be13d92/ratejovuvi.pdf
    • https://s3.amazonaws.com/fedufiporara/tum_kab_jaoge_atithi_answers.pdf
    • https://uploads.strikinglycdn.com/files/e20475bb-6ade-4c8d-b781-4286917810c4/hp_photosmart_c4580_printer_ink_cartridges.pdf
    • https://s3.amazonaws.com/jikopot/may_printable_calendar_2019.pdf
    • https://uploads.strikinglycdn.com/files/d70f4940-24f7-4f8c-91bf-f59c6b0c5ebb/lpg_gas_pipeline_installation_services_near_me.pdf
    • https://uploads.strikinglycdn.com/files/3a98eeb0-c17e-4438-9fcd-1f703fb37219/basic_math_facts_test.pdf
    • https://s3.amazonaws.com/nemafu/spanish_subject_pronouns_worksheet_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/f4dbb10d-1bea-4a4b-9e9c-70112b596835/pilikezaxunebab.pdf
    • https://uploads.strikinglycdn.com/files/d77696e9-fb87-4acf-8280-e37239b3ebac/what_does_module_in_education_means.pdf
    • https://uploads.strikinglycdn.com/files/2d154e2f-01f6-4376-8d21-0899eff7d4a8/81169433221.pdf
    • https://uploads.strikinglycdn.com/files/564fc310-4f81-4044-b5cd-98f479fb1cfa/hp_laptop_battery_shows_plugged_in_not_charging.pdf
    • https://uploads.strikinglycdn.com/files/cf6f0dcd-87dd-4507-98f0-f3b5717c7f64/epson_error_code_0xf1_workforce_3640.pdf
    • https://uploads.strikinglycdn.com/files/998d902f-a8c2-4f14-b06e-208591f94c2c/86623434205.pdf
    • https://uploads.strikinglycdn.com/files/5dc5005a-4115-4377-990d-ab52946a488a/toshiba_satellite_l755_drivers_for_windows_7.pdf
    • https://uploads.strikinglycdn.com/files/d372ad8c-b05f-46d0-90e0-0d5a2d053cae/vufonobaxe.pdf
    • https://uploads.strikinglycdn.com/files/07efda65-dfa0-4992-83ae-95ae7e5e20b4/how_to_make_a_charcoal_sketch.pdf
    • https://uploads.strikinglycdn.com/files/ffe2a243-60e8-4490-9d89-805b3244e24c/18194696594.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000146b1.bin
59dd756191be09a48c7e17a037f3714c2e3f7843513fc89a784be538f6d02d80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146B1 4960 bytes
font_01_sfnt_off0001577e.bin
5f866623e4ad5faa85b15ef69ae2367dcd150878c9ca5bb4141057b176057998		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1577E 11856 bytes
font_02_sfnt_off00017ffa.bin
028dbaa76d48ae99b02248bacea50134e27ed131f5dd39e25ac401de8961e19b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17FFA 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.