Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2b5a247dd2d6ace…

MALICIOUS

PDF

193.1 KB Created: 2021-05-12 21:07:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7508169d96d150aebadaa986c7653efc SHA-1: 76f383c5ebc2c2a9ecc48cc898aebcfc75bf38a5 SHA-256: b2b5a247dd2d6acee5272e86d9ba8963c947f8be13b7a903ba311edf991fd9b8
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an external URI pointing to 'https://crophysi.ru/strik?utm_term=attack+on+titan+season+4+release+date+animelab', which is likely a phishing lure disguised as a search result. The PDF also exhibits characteristics of a link farm on disposable hosting, further supporting a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9656

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=attack+on+titan+season+4+release+date+animelab
    • https://merirano.weebly.com/uploads/1/3/2/7/132710628/guvopujug.pdf
    • https://vujewixijul.weebly.com/uploads/1/3/1/4/131437312/9f216.pdf
    • https://suxapenogabako.weebly.com/uploads/1/3/4/6/134602080/razoduzoxa-gojufo.pdf
    • https://lotuvimipel.weebly.com/uploads/1/3/0/7/130739731/tonasisoguxoja_bitot_verapeguga_bemagi.pdf
    • https://logifuvixejexa.weebly.com/uploads/1/3/6/0/136019385/defirosonufefoz.pdf
    • https://cdn.sqhk.co/lojibuwe/gijgggc/adorable_home_cats_don_t_want_to_play.pdf
    • https://cdn.sqhk.co/pabelewexo/idheOjc/famugafevazamivatowix.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d54d55f4-8004-4613-9f19-7b96cbed0ae7.filesusr.com/ugd/ce4b32_612d5adefa75462b93a4cb60e6b7b733.pdf?index=true
    • https://04934832-22f3-474e-96de-b9d593e92251.filesusr.com/ugd/f390e7_e6cb4241d7074fe78957b381c8a67d30.pdf?index=true
    • https://bed2d873-735b-46bb-a8a3-264d0455df4e.filesusr.com/ugd/03ede2_0b885eaf23c44d7a820e6bdbe7bb995a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/05596375-36e6-4a86-816c-53c0f9af96ad/41799102244.pdf
    • https://s3.amazonaws.com/jupudizadid/fifth_harmony_x_factor_uk_performance.pdf
    • https://uploads.strikinglycdn.com/files/0802b28a-4a1d-4208-9f93-e0034c174774/jumijuso.pdf
    • https://a867a740-3546-49c9-bb92-c76f735cad7e.filesusr.com/ugd/c312ff_fbc2443619c44af187b8419071528eb9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cde0e35c-8057-4cab-8c56-03f3d45c9b8b/nuevo_testamento_interlineal_hebreo_espaol_gratis.pdf
    • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_7e5cf92cd3234f1cbbd17cafd3586e6f.pdf?index=true
    • https://s3.amazonaws.com/xoxaneral/nature_s_answer_fenugreek.pdf
    • https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_5434c5bb2eba4cf4ad19a8aad4986492.pdf?index=true
    • https://s3.amazonaws.com/jakujakula/kitchen_pro_bread_maker_recipes_k6725.pdf
    • https://23da7c74-6e14-424a-b22a-901aa35eafb1.filesusr.com/ugd/9cc572_feb63f8014554e32a98d2b5a572ecdf6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2abfd213-4767-49ef-9597-6f79c7ddf60e/ms_word_table_of_contents_formatting.pdf
    • https://s3.amazonaws.com/mulerux/marebifepedulofijulozena.pdf
    • https://s3.amazonaws.com/sebunuzu/wiwel.pdf
    • https://uploads.strikinglycdn.com/files/62d17d36-0c60-460b-9649-a798a4f191ee/dufunidikutazozo.pdf
    • https://8084a2ae-6cfb-493d-8155-0d4219c0f7e3.filesusr.com/ugd/5b3528_7db559e5fb1d4563a9bad81d8030e416.pdf?index=true
    • https://02e0da19-eac5-4521-950b-4e410541bf1c.filesusr.com/ugd/516249_3e98d9bf0ccd4e5a8d801c1ea5180633.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00028558.bin
105cbc1f1aa04b8b70ac96442d4a803c1c71827d60886aa031b556d7062d94cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28558 13280 bytes
font_00_sfnt_off00019bcc.bin
de039204f406ece29239a431ccc5e1fc0ec4b12563904ac62a0e62c94722a356		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19BCC 70864 bytes
font_01_sfnt_off00027334.bin
37bd4008c4a2a442c387f3ba81cb568518282a0f05fa2c50266455b8327cd053		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27334 5368 bytes
font_03_sfnt_off0002aae4.bin
c1f05c9bcf8e2a3fe475ca4728d83d19587319e2545c5d3b790a84024529a31d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AAE4 15636 bytes
font_04_sfnt_off0002dbd3.bin
5e50dfc9225eafa4a6c72b6cdf94921201600bc3883703b00948c4dc04d94fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DBD3 16680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.