Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4f4c53c563eac53…

MALICIOUS

PDF

76.6 KB Created: 2021-04-06 11:36:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 525350d519c99c1b73c365148c363505 SHA-1: db23882206cd914f3ef4e7f4e08863442daadb77 SHA-256: b4f4c53c563eac532cbc958a59687c71e43040b5ad542bc44b91e23190ede1e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous external links, a common technique for SEO poisoning and phishing. The primary malicious URL, https://vilenefex.ru/wix?keyword=chemfax+lab+answers+chemical+reactions, is presented as a search result, likely to trick users into visiting a malicious site. ClamAV detection and ML classification strongly indicate malicious intent, specifically identified as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=chemfax+lab+answers+chemical+reactions
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/feseni/glyceryl_trinitrate_infusion_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/8bfb5976-804a-4f08-b278-31d4a505a07d/farewell_my_lovely_film_plot.pdf
    • https://s3.amazonaws.com/nalifij/role_of_caste_in_politics.pdf
    • https://s3.amazonaws.com/nafoxuda/game_designer_job_description_template.pdf
    • https://746420f6-3007-491b-ba72-fd43be5094e5.filesusr.com/ugd/277b62_5024fca5b8c24343844d9225ad07b90b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/29223a8d-6a46-433d-aae7-9facc2ade2eb/lujebedugenonakujukapu.pdf
    • https://uploads.strikinglycdn.com/files/da3718ec-fbeb-43ae-b0d3-81c6f8e60fe2/72874242206.pdf
    • https://85fc0914-20e3-4f1c-be8c-de7e6f89f47e.filesusr.com/ugd/a44510_55d71e005f714d1fae5518097c19c2f7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b84b17bb-6682-4987-b40a-3dc2a0651599/god_emperor_of_dune_miniseries.pdf
    • https://uploads.strikinglycdn.com/files/34734774-fee1-4e65-b38e-5fe0f94d97d3/bedojalatuzupat.pdf
    • https://53ee2ee6-42da-4c96-954f-60f726bc8d53.filesusr.com/ugd/de2744_6e0394ee32b545b583e837e6bc8704d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a5edeb8d-3389-4549-a6e3-24fbf46eefbb/an_inspector_calls_cast_2012.pdf
    • https://uploads.strikinglycdn.com/files/791adf68-815b-4741-bf31-3f53fa530852/english_phonetics_and_phonology_peter_roach.pdf
    • https://s3.amazonaws.com/limepusotanal/sub_zero_650_service_manual.pdf
    • https://uploads.strikinglycdn.com/files/71472a75-a980-420c-841c-3979df4af3dc/hp_elitebook_8540p_driver_pack.pdf
    • https://uploads.strikinglycdn.com/files/f3d9a568-4b41-4f2e-8f54-3391058975f3/the_slight_edge_chapter_4_summary.pdf
    • https://uploads.strikinglycdn.com/files/5b7cfdf1-8575-4a38-8c81-3ab462a60ba1/tulimanofadikulofif.pdf
    • https://s3.amazonaws.com/gewuwasi/pitagebid.pdf
    • https://uploads.strikinglycdn.com/files/8799514a-5a5d-4ed9-9326-d0f2221ab479/poor_mans_james_bond_vol_5.pdf
    • https://s3.amazonaws.com/dinigugaxej/laxokikubakiwalanivoxa.pdf
    • https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_857469896b6e47818233f12fe6f3738e.pdf?index=true
    • https://s3.amazonaws.com/fonibinaraj/basic_aptitude_test_sample_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/0c46f7e6-7231-44ad-8cbc-cb7f23105a9a/5804926734.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecd9.bin
f6fde39bb0a5098664dbaac39a01c58c1896345f5eb0d0311c4d0a0b730b1763		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECD9 5328 bytes
font_01_sfnt_off0000fedc.bin
8c575f31329ad7431e8a320818f64c57b0d76f36cd997114cdb01359dc334599		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEDC 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.