Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1283de1f32667e4…

MALICIOUS

PDF

105.2 KB Created: 2021-03-26 03:46:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bbc3b65589672a2df79a54bdfdbdd18f SHA-1: 16e566eb93dfe0fe8053cb06b927c57cd4897fb0 SHA-256: b1283de1f32667e400b89194bf9c439357069c541f9fd0d5117eb6a7f8966e20
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable domains, suggesting a link farm or phishing operation. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a social engineering attack, likely spearphishing, designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/aws?utm_term=what+is+classroom+management+definition
    • https://static.s123-cdn-static.com/uploads/4451561/normal_6008cf89a31e9.pdf
    • http://deemonatrafik.xyz/iso_27001_guidelinesv2jmz.pdf
    • http://healsmall.space/prophet_shepherd_bushiri_books_freetnn0q.pdf
    • https://static.s123-cdn-static.com/uploads/4425921/normal_600479412534c.pdf
    • https://cdn-cms.f-static.net/uploads/4391954/normal_600a405eae397.pdf
    • https://fefokepixax.weebly.com/uploads/1/3/1/4/131452923/suxideloxusuk_zetofimizoz_zarusof.pdf
    • https://cdn.sqhk.co/rijomawonuj/9MarjdC/godatadadanil.pdf
    • https://cdn.sqhk.co/raxuzuvuluf/dajiBja/27894091445.pdf
    • https://lapadodipelij.weebly.com/uploads/1/3/1/1/131164402/piginupejipe.pdf
    • https://cdn.sqhk.co/fuwufupi/Lhclwhf/nevovovoxifamofun.pdf
    • https://static.s123-cdn-static.com/uploads/4409814/normal_5ffeb1e6a5ef6.pdf
    • https://tuxutumixebapi.weebly.com/uploads/1/3/1/4/131438514/436ab9.pdf
    • http://bravos-kids.ru/how_do_i_use_the_function_keys_on_my_logitech_keyboardunq06.pdf
    • https://lejuziluzamof.weebly.com/uploads/1/3/4/8/134863123/6225369.pdf
    • https://cdn-cms.f-static.net/uploads/4476268/normal_6010ce40b2637.pdf
    • https://sepuvoguzunisam.weebly.com/uploads/1/3/4/4/134488558/2638118.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/34af2ebb-3c52-4422-9154-1b6205bd890f/2763864793.pdf
    • https://uploads.strikinglycdn.com/files/0c9aed8c-b12e-421c-8a25-dfaefaead0af/87038627578.pdf
    • https://167c8e7b-8160-49a2-a88e-f26749d647c8.filesusr.com/ugd/1ad47d_6dc4c5f08f97416f8eb4318e89b1c822.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b6a8105-94c9-4ed0-9e2e-0d6ade6a1e9e/gepideva.pdf
    • https://28546a20-d0cc-4b82-bb4f-6711990cd5a3.filesusr.com/ugd/0bcf16_33597482fab1436c91c6fae1ff3c5530.pdf?index=true
    • https://b40f07b9-a98f-42b6-a6e2-5dc2c82ebb0e.filesusr.com/ugd/e949ea_e5f7a98507bc4d23a07320b15ee3abd3.pdf?index=true
    • https://1a73feee-b327-4bc5-ac54-9d367b44a425.filesusr.com/ugd/226baa_211f6877cf334a769f7e5f21c096b87b.pdf?index=true
    • https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_1faf6fcf530d48d396f1447b36375d23.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015ea4.bin
8712b155a33016d7cc497421b368d117baefbb06cf47e8a209d68e220e89934b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EA4 5448 bytes
font_01_sfnt_off0001710b.bin
e056cdb800e459cb987049cf76420311c037af22dbcd7eb7270237324737d3b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1710B 11576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.