Malicious PDF — malware analysis report

Static analysis result for SHA-256 b168e3056edde003…

MALICIOUS

PDF

76.5 KB Created: 2021-03-05 21:18:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f51cc852cb3c3596e52762a706bb0749 SHA-1: 9534fc130af2a250146bbe94283db8a9227ced9e SHA-256: b168e3056edde003909373bc714137c10bb027d72afb7451a0b92badb47a0315
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO poisoning or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. The embedded links likely lead to further stages of infection or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=nc+kindergarten+social+studies+pacing+guides
    • https://cdn.sqhk.co/porosobof/rS9jihi/78162939147.pdf
    • https://petugaxuw.weebly.com/uploads/1/3/5/3/135397026/49f730.pdf
    • https://cdn.sqhk.co/pomijatan/hiJXheu/stop_robots_crawling.pdf
    • https://zupevinar.weebly.com/uploads/1/3/0/7/130739631/41c8206.pdf
    • https://cdn.sqhk.co/zanuduwedimu/WhfcfQd/shaq_fu_a_legend_reborn_review_gamespot.pdf
    • https://cdn.sqhk.co/lajoroteb/p1vjb06/shadow_fight_2_special_edition_hacked_version_apk.pdf
    • https://voganesabif.weebly.com/uploads/1/3/1/1/131163538/7634815.pdf
    • https://varijamali.weebly.com/uploads/1/3/1/8/131856150/jufinif_zazupakip.pdf
    • https://cdn.sqhk.co/fapolokid/khjqjaf/topps_match_attax_champions_league_2019_20_checklist.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/numegubowalonan/xonowozadabuwevu.pdf
    • https://f59c0a4d-c104-43ac-8966-a5978cdf1b8c.filesusr.com/ugd/0c1ebd_dc0353290c9d4da293a1bd949d1ed982.pdf?index=true
    • https://e60c805d-b9e1-47fc-b045-983511e9ac1f.filesusr.com/ugd/116bb2_ed69c76cba9f4dc0ac63a1b04045ac67.pdf?index=true
    • https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_bfec89d6087b4a2093a0705e3379857a.pdf?index=true
    • https://da18e6a8-d720-42de-a88c-3f13daad7efb.filesusr.com/ugd/08fe48_66d182f3a6fe4da0be9f93fd08b886bb.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_dd6a1692c72549f89ed3bb119e30b145.pdf?index=true
    • https://uploads.strikinglycdn.com/files/94b713e8-6066-4d69-8fdc-90cc96faaeb0/53353615691.pdf
    • https://ccd4a2e6-63e2-4dcb-a02e-1ae1253dabcc.filesusr.com/ugd/059ff1_90f7b39be3124a74aea466153764fff2.pdf?index=true
    • https://d427386d-3434-45d9-8802-370857a594f4.filesusr.com/ugd/accd1f_d76bb899190747baa6c718e35a1cd67c.pdf?index=true
    • https://s3.amazonaws.com/xojafemori/jipuwitomijid.pdf
    • https://s3.amazonaws.com/bulikowexunepov/finiluxanukazojodowuxudu.pdf
    • https://0a37a3d5-a0bf-4e77-8ff5-6127fd08aefa.filesusr.com/ugd/6046c9_d291c62960bf4fb785508883733be686.pdf?index=true
    • https://s3.amazonaws.com/lolaritemukole/mupeparuxogilo.pdf
    • https://uploads.strikinglycdn.com/files/72f60836-90cb-4062-a803-fcadf21909c5/how_to_write_a_simple_script.pdf
    • https://uploads.strikinglycdn.com/files/6d78a85a-c127-402c-b29d-051c448609df/zoomer_kitty_cost.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef87.bin
0950093243335ccfff9ec6668b641a369276a82125295f0134219dc093cf3466		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF87 5272 bytes
font_01_sfnt_off0001018e.bin
92b3c1c0ac7c37966402e4e32cc36dea9442ff0368e2b406b7e7ef97057f243e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1018E 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.