Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5721f7407da8ef3…

MALICIOUS

PDF

118.6 KB Created: 2021-03-28 22:39:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f7f0acf4d65e82292c5a36c4893f0afd SHA-1: 76026bf61f727cfc8c5970350af00b3fb8bf3fbf SHA-256: b5721f7407da8ef3a5efc0b0f1c0498a5a58a8b33f28ed6483aca93eb17e29bb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are dynamically generated or use link farms, indicating a phishing or SEO poisoning attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or distributing further malware. Although no scripts were explicitly extracted, the PDF structure and numerous external URLs point towards a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=jbl+on+stage+manual
    • https://cdn.sqhk.co/bajafigotuvi/jeezidj/97431032382.pdf
    • http://begdas.fun/frigidaire_top_load_washer_parts_diagramj5ga6.pdf
    • https://cdn.sqhk.co/xonipavu/eSigKhe/rebaxuxojutusakadarobo.pdf
    • http://cleanup-sale.site/finajozevalelakepesizuzud700p.pdf
    • https://cdn.sqhk.co/vakolitakap/hghU2UX/69801580538.pdf
    • http://stonersfranchise.com/kitidabujutimabolevu3hzrp.pdf
    • https://cdn.sqhk.co/judigirowe/dOjjIhb/you_are_not_answerable_to_me.pdf
    • http://riragukigud.scienceontheweb.net/bujupidek.pdf
    • http://trokot-shopnew.online/526015661868dzy.pdf
    • http://kigirifaduguv.getenjoyment.net/adobe_illustrator_cs6_tutorials_in_urdu.pdf
    • http://crysety.xyz/fall_under_a_spell_in_spanisha63sg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ff5ab256-a407-4697-91b9-141751226614.filesusr.com/ugd/4205e4_9f7b937233f64ec7b2ce6d3f65d9652b.pdf?index=true
    • http://xuxalonitu.onlinewebshop.net/84482957439.pdf
    • https://8316a071-1c81-4729-bbc9-bb84f51c1359.filesusr.com/ugd/b2ba6b_b8455e7a8ced4f4997c3ab1e569eb2d0.pdf?index=true
    • http://bowegasobufur.myartsonline.com/bulk_up_diet_plan.pdf
    • http://tanonarimunal.myartsonline.com/cloud_computing_infrastructure_as_a_service.pdf
    • https://0bc2ebcf-5b85-435c-8290-6c6350a165f2.filesusr.com/ugd/ee98f5_a6e367284dcb48a1b00125ee9572e46e.pdf?index=true
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_1f0145398cb04c79aa93b2aed03af6da.pdf?index=true
    • https://57fc24c6-ba7c-430a-bdae-05304608b610.filesusr.com/ugd/bc9c68_4a78553868f344e8a73e7c932591bc2b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f943.bin
2ccffb8295e75f5e872eec84de39ddc0173b909c6c35a616a4ad5a1f451180d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF943 42580 bytes
font_01_sfnt_off00017cd7.bin
3a3eaf91e0704d4aff941c451dc2d34b24ab56256a71337ec85b94349a4681f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CD7 5040 bytes
font_02_sfnt_off00018dec.bin
013aa90d499400fb0cb3f88355f46b328f4652e8df7dc05e6c2c78a396fed70b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18DEC 11824 bytes
font_03_sfnt_off0001b503.bin
31f54bf1b2a0bd5fcefce680aa7bc0ab7b2c48a0f9a6877104dd616c0c0a5462		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B503 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.