Malicious PDF — malware analysis report

Static analysis result for SHA-256 b386757a50d748c5…

MALICIOUS

PDF

97.7 KB Created: 2021-03-15 03:59:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a2bb31098bbccb4c48c83dfa885c9b3 SHA-1: b10e7b44b640d82dcfa3735652c24cf6309ef134 SHA-256: b386757a50d748c52c868ab0dc6a701f23ec91f8b8b95476242103e097b4f504
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one specifically pointing to 'jacksth.ru/wix' which appears to be a link farm designed to mimic search results. This heuristic, combined with the ClamAV detection and ML classifier flagging, strongly suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and the presence of many external links indicate an attempt to redirect the user to malicious content, likely leveraging a PDF vulnerability or social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=dyson+dc59+motorhead+manual+pdf
    • http://bikejesoxatelo.mygamesonline.org/ashton_woods_apartments_greenville_nc.pdf
    • http://teachost.com/9297065258875spv.pdf
    • https://tepiduti.weebly.com/uploads/1/3/5/9/135974730/muwus-lewizifobo.pdf
    • https://cdn.sqhk.co/dovawowo/Hihif5C/cut_and_paint_mod_apk_download_android_1.pdf
    • https://komamopiragi.weebly.com/uploads/1/3/4/4/134444029/jigen-nedudo-subojazope-remikuxut.pdf
    • http://thepropheticapp.com/692214430449w5w6.pdf
    • https://cdn.sqhk.co/palugalanivo/tuibZji/guns_germs_and_steel_worksheet_answers.pdf
    • http://wordsidepost.top/jekyll_github_pages_templateckb88.pdf
    • https://cdn.sqhk.co/tefulobesa/aghieNb/zotopu.pdf
    • http://rofogukiluvupu.mygamesonline.org/caracteristicas_principales_del_modo_de_produccion_feudal.pdf
    • http://wazepewazivulil.mywebcommunity.org/hp_photosmart_c5280_all-in-one_printer_price.pdf
    • http://paxenazubenib.mygamesonline.org/how_to_program_a_ge_universal_remote_to_directv.pdf
    • http://vclean-sale.shop/falajuduborevokafigugagcp4r1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8aefc570-8454-48c3-bb63-d4d1067b7ce0.filesusr.com/ugd/5c9621_f872664a147045909c6d98d45e17038a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c094764e-0baa-480b-aae0-316a75700cba/esv_bible_online.pdf
    • https://uploads.strikinglycdn.com/files/fab3f133-4e96-4c69-8b8a-6f0fe8121a55/how_to_analyse_choice_of_words.pdf
    • https://uploads.strikinglycdn.com/files/a5b378ce-8702-4255-be12-0238657ddd8b/bob_evans_menu.pdf
    • https://uploads.strikinglycdn.com/files/d0cdc8b0-61b6-4093-9530-4d3d708ec1cd/sanokabogiko.pdf
    • https://9e1b5e4e-b4ab-405b-8fdf-b3b6d7b19c28.filesusr.com/ugd/94ea38_114f015d4e38430d8c2ea4b2d841ca3c.pdf?index=true
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_6d0921e63049445393f0e945612edaa3.pdf?index=true
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_28d8d6783ce64b5e8188e746ea33c110.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ee5fa9aa-5322-4dd9-a330-b1a5458a4a31/blender_2.9_beginner_tutorial_part_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000125de.bin
6b24c34ac7c8fff14e4a06ddfb0b65bc095a78c2b6a2595053003542ed763f67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125DE 5776 bytes
font_01_sfnt_off0001396c.bin
9799656406bffc720fc7cfb0ec2803f1e22ec1ec1b7652b0c77006b8e3b420cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1396C 13076 bytes
font_02_sfnt_off00016414.bin
a0852c4690a6c7c4be107c8faaea32186891696821b3a96aec1037a99786b2f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16414 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.