Malicious PDF — malware analysis report

Static analysis result for SHA-256 b26165d9e0086744…

MALICIOUS

PDF

72.1 KB Created: 2021-03-30 16:43:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c6ee1ee9a16a0ab65edcdb7804bea14 SHA-1: cb39fa4273c31aeb7a880537ffd065ed83fc3c44 SHA-256: b26165d9e00867442da22298be30dbac5701ee98bfdbd56fd23a8f83208d744c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a significant number pointing to potentially malicious domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded URLs likely serve to redirect users to phishing sites or download further malicious content, aligning with a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=visualization+of+the+mind+pathfinder
    • https://jitebogegamoma.weebly.com/uploads/1/3/4/7/134761197/lefoxomobakolupuge.pdf
    • https://torimavilok.weebly.com/uploads/1/3/5/9/135984964/tanamesavelo-gixigikoxaxor-duseg.pdf
    • https://static.s123-cdn-static.com/uploads/4497359/normal_5fe27372abaf1.pdf
    • https://cdn-cms.f-static.net/uploads/4414332/normal_6024461e67615.pdf
    • https://nobazivikiva.weebly.com/uploads/1/3/0/7/130776215/vojodedulof-renejidixamas-fibokid-mekin.pdf
    • https://molisepav.weebly.com/uploads/1/3/5/3/135347716/2510483.pdf
    • https://cdn-cms.f-static.net/uploads/4465543/normal_600bba6512ead.pdf
    • https://moxudoged.weebly.com/uploads/1/3/3/9/133999753/226f2c7a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/364dee7f-3033-4243-99ee-5aa21a8d869d/kodozudegatanujipexojoz.pdf
    • https://uploads.strikinglycdn.com/files/410efc5b-d705-4770-8d9b-c3c54defb67d/foler.pdf
    • https://uploads.strikinglycdn.com/files/abf32bf0-d8a4-4e16-a854-859b6f558733/libro_de_espaol_segundo_grado_lecturas.pdf
    • https://s3.amazonaws.com/tamobalasu/motewiverifezewape.pdf
    • https://uploads.strikinglycdn.com/files/517361b6-a4b9-40bb-bc66-5b8413671828/prayer_guide_template.pdf
    • https://uploads.strikinglycdn.com/files/8b28af1c-5a7f-4668-a2f7-d57297314317/52351438490.pdf
    • https://uploads.strikinglycdn.com/files/086b9ac1-a5f0-4755-bd43-45f84026eb47/99237302956.pdf
    • https://uploads.strikinglycdn.com/files/8a80c949-6a29-4f90-b248-fb71af591ae2/oedipus_rex_summary_scene_2.pdf
    • https://s3.amazonaws.com/tosevud/wavepad_full_version.pdf
    • https://s3.amazonaws.com/wewiro/46261065810.pdf
    • https://uploads.strikinglycdn.com/files/d4dbfcae-77b3-4194-b14f-b12524747051/majestic_gas_fireplace_cleaning.pdf
    • https://s3.amazonaws.com/wifukedot/penelalexunenela.pdf
    • https://uploads.strikinglycdn.com/files/faa1e402-4fb0-48c2-9490-fd9c5aaf1509/covid_19_safety_signs_free_download.pdf
    • https://uploads.strikinglycdn.com/files/f5b42dd3-d7a9-441d-af10-c2845dafdfa8/sig_p226_reviews_9mm.pdf
    • https://uploads.strikinglycdn.com/files/d152234d-f473-425f-9797-00b435c59470/geometric_invariant_theory_google_books.pdf
    • https://uploads.strikinglycdn.com/files/aaccd01f-5e3e-479f-9d24-38bef885cf6a/gamuwabapugotosasavotoso.pdf
    • https://uploads.strikinglycdn.com/files/f865bf4c-5e8b-4e67-980c-9fa636e525f8/guxamefusubuw.pdf
    • https://uploads.strikinglycdn.com/files/469cd94b-f491-4d39-ba81-720971b702cb/mitologia_griega_de_medusa_y_poseidon.pdf
    • https://s3.amazonaws.com/divikufifir/how_to_set_up_voicemail_on_a_panasonic_home_phone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcf5.bin
f78e5cd7bfe9a6886b0e78c218367be037caf45f6fa97451104a7e5e4d12e95c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCF5 5296 bytes
font_01_sfnt_off0000eed8.bin
7efac140c9aa9e4885c37c45c9dc219ec2883b6c8594df26dcb21c3026d15d64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEED8 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.