Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3c51d01fcc69276…

MALICIOUS

PDF

85.6 KB Created: 2021-05-15 12:16:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b254a5cbc849f35133aab3e1f32a8b08 SHA-1: 23f027e00edb8707c4eb4cb9b97e3b144e497a7d SHA-256: b3c51d01fcc69276014cd0c39586f4941bbe54a6fbd45b947f99b738c2db7f08
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. It contains a large number of external links, suggesting it is part of an SEO spam or phishing campaign. The embedded URLs point to domains that are likely used to host malicious content or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=how+to+set+up+airport+express+gen+1
    • https://static.s123-cdn-static.com/uploads/4374185/normal_600407e3d5c95.pdf
    • https://piriwunetu.weebly.com/uploads/1/3/1/3/131379541/muxiwod.pdf
    • https://vikumeniwexawud.weebly.com/uploads/1/3/0/9/130969440/9803231.pdf
    • https://static.s123-cdn-static.com/uploads/4367308/normal_60089a88a9f25.pdf
    • https://zinenefubodejig.weebly.com/uploads/1/3/4/3/134338026/6792968.pdf
    • https://static.s123-cdn-static.com/uploads/4417537/normal_6005b08d3ad0d.pdf
    • https://pofefami.weebly.com/uploads/1/3/4/8/134884789/lupalebek-vositewawevidew-zudefaredevixe-ridokafike.pdf
    • http://merishwheelrecords.com/8648033425564pvx.pdf
    • https://redulexaxoxega.weebly.com/uploads/1/3/0/8/130874010/dddebc.pdf
    • https://dipafasimabake.weebly.com/uploads/1/3/1/1/131164320/jerufi.pdf
    • http://jodujimapiwox.22web.org/logebazetebutemak.pdf
    • https://tezolusubugejel.weebly.com/uploads/1/3/5/3/135314563/forofipovu.pdf
    • http://rawufomoju.22web.org/13713076024.pdf
    • http://tapakidi.22web.org/37601652940.pdf
    • http://probmake12.xyz/adidas_us_to_uk_size_guidemxiur.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fovusuru.epizy.com/most_useful_unix_commands.pdf
    • https://s3.amazonaws.com/mokixetat/borderlands_2_dlc_purchased_but_not_ed.pdf
    • https://s3.amazonaws.com/pukaridimupo/mipiritewezev.pdf
    • https://s3.amazonaws.com/gazitif/29607290975.pdf
    • https://s3.amazonaws.com/xulepiwa/amoeba_primary_form_of_locomotion.pdf
    • http://kotuwelu.rf.gd/book_learning_german.pdf
    • https://s3.amazonaws.com/gowebabuxogiro/63350951929.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa28.bin
887d4853ce752a1b6db95900bd6da4053ba817c68529fe8905bd6937338ff678		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA28 5128 bytes
font_01_sfnt_off00010bc6.bin
1e653bcda74132aad32fd339cdf59e7a9c135f18adb77ae7d25a97475bcc8508		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BC6 11296 bytes
font_02_sfnt_off00013226.bin
e3100f46e6d20938c02606d7507508688afe430b44281df1bc821977ef8b1ecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13226 16656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.