Malicious PDF — malware analysis report

Static analysis result for SHA-256 b206db7645d71e35…

MALICIOUS

PDF

67.0 KB Created: 2021-04-03 02:46:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: faf2ac2090e0fb7cd6a6a2f019e55890 SHA-1: 763c4d16b37289f316a49c5084f7b880953e3752 SHA-256: b206db7645d71e35d80dbbcdf3cf82ca4adeeb83e2500b1d144a79ee21e9f747
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO poisoning and phishing. The heuristic PDF_SEO_LINK_FARM indicates a large number of external links, and one of the primary URLs points to a domain associated with malicious activity. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=why+is+my+xfinity+remote+blinking+red
    • https://xomugewobi.weebly.com/uploads/1/3/0/8/130814749/selidobijawikonixe.pdf
    • https://cdn-cms.f-static.net/uploads/4469863/normal_5fdc33499bd58.pdf
    • https://static.s123-cdn-static.com/uploads/4418192/normal_5fffd94fb58cb.pdf
    • https://static.s123-cdn-static.com/uploads/4427795/normal_5ff0027092a19.pdf
    • https://jawemojope.weebly.com/uploads/1/3/4/3/134399256/xixozuwix.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bofake/pikarut.pdf
    • https://uploads.strikinglycdn.com/files/53a127b4-7ab9-403b-b0b5-1f906f42af39/85461648188.pdf
    • https://s3.amazonaws.com/murudute/sajalag.pdf
    • https://s3.amazonaws.com/lupebesu/cannibal_ox_the_cold_vein_zip.pdf
    • https://uploads.strikinglycdn.com/files/faac302f-085f-4118-9820-df0db27c1d09/78411960167.pdf
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_b8f19072a86549b0964916dc34812d88.pdf?index=true
    • https://s3.amazonaws.com/panalipolifod/54812166228.pdf
    • https://uploads.strikinglycdn.com/files/152cc982-9317-46d1-9108-ab7688b29c97/journey_to_the_west_full_movie_download_in_hindi_480p.pdf
    • https://070488ba-e3d9-4c74-834b-445551f5513c.filesusr.com/ugd/fb83f1_43dd2638c11341f99d3e6b26acb955b1.pdf?index=true
    • https://s3.amazonaws.com/levumoduf/solex_carburetor.pdf
    • https://s3.amazonaws.com/jenisozazewubo/55935188775.pdf
    • https://d190c387-1498-4382-a59e-98d1a0a9794c.filesusr.com/ugd/a91264_a4af87c77b5a4da1b3d75b40ad3156b9.pdf?index=true
    • https://79f67b98-100a-41ac-8a2f-4880133f117e.filesusr.com/ugd/f12c90_a7c2c067cca0403f9b26dcee5d5840ea.pdf?index=true
    • https://s3.amazonaws.com/takateg/skoda_navigatie_amundsen_update_en.pdf
    • https://s3.amazonaws.com/jubiferekaka/bosch_series_8_tumble_dryer_manual.pdf
    • https://23da7c74-6e14-424a-b22a-901aa35eafb1.filesusr.com/ugd/9cc572_2786d848f5fc4fedb8d0f0e800fa42f5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd26.bin
abcc9bd0395fd943c00f0f55fab45b6c240f9848838cf9f440ca3f7ce72a46a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD26 5500 bytes
font_01_sfnt_off0000dfcc.bin
18807a47db2b2c37f93e41c0a58098eb43c1fc9789e752f3dd8ccc13dfe40fc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFCC 9132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.