Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5808128f7438ff4…

MALICIOUS

PDF

90.1 KB Created: 2021-04-02 00:28:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e10fc24d53dedecda5d8676a229d180a SHA-1: 43b5113b3d532e256d0366dcc8b27415b8b1e141 SHA-256: b5808128f7438ff4dfe6b31a02c4908a9975fa74f1a8021d643b96eea27d9a37
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1190 Exploit Public-Facing Application

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' and another flagging a 'Payment redirection / bank-detail change lure'. The ML classifier and ClamAV also indicate maliciousness. The document body, though heavily obfuscated, contains text related to making extra money, which is a common lure for phishing and scams. The presence of embedded URLs suggests an attempt to redirect the user to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/aws?utm_term=how+to+make+extra+money+on+the+side+uk
    • http://tumafabo.22web.org/what_is_a_narrow_down_statement.pdf
    • http://sutunir.22web.org/portada_the_economist_2020.pdf
    • http://tefiwofo.22web.org/46349478944.pdf
    • http://nojekufa.22web.org/anthropological_theory_of_value.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kaseborodemo.rf.gd/57707168691.pdf
    • https://c948e902-2437-43f3-9f1e-7aaad30688a7.filesusr.com/ugd/464a75_4365f6f8a9ed4a2f8a5708e8c1c64d38.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0defccfc-f7a4-41a1-b2b0-d0023d16f38a/69082740029.pdf
    • https://4fe85328-8dbf-40e9-afa8-2c8d6ff8a9c8.filesusr.com/ugd/9c0842_c201845ca6cc4bee9b3fe0fc2d486461.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fbea0d7b-2691-47bf-84d9-a291b689ef8a/34676974471.pdf
    • https://734e8db3-b9db-457c-abaa-08c06218e7ae.filesusr.com/ugd/f6bb82_118795d01df644a4b938ee7fef0b32e3.pdf?index=true
    • http://zoruvalumupubi.rf.gd/famavusimibodaxebuzano.pdf
    • https://7fe6b731-3703-45da-bcbe-faf39b4d3392.filesusr.com/ugd/880a7e_8bc46f12aef849d78cd2f2a5d97759b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1775e78e-28be-48a8-803e-f6cdcd9d800c/fairy_tales_worksheet_second_grade.pdf
    • https://uploads.strikinglycdn.com/files/1484e071-d276-4a78-a72b-0e4f5e322956/how_much_are_english_classes.pdf
    • https://uploads.strikinglycdn.com/files/692c7748-5406-44cc-afed-f1e1a42026cd/thunder_cake_book_read_online.pdf
    • https://uploads.strikinglycdn.com/files/aa8070db-65d1-41c0-9efc-59d9c59ea789/corrector_grammatical_english_online_free.pdf
    • https://uploads.strikinglycdn.com/files/eb89be14-1301-4e98-8c48-d5946db99c40/30064587429.pdf
    • https://05efeaee-ea5b-4dc8-bddc-a5098cc0dcbd.filesusr.com/ugd/c06c30_e2ed1e913a6b41709e476c00eb454ee5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/317597af-dd81-45ab-aa18-79895685fd93/is_cool_mist_or_warm_mist_humidifier_better_for_congestion.pdf
    • https://uploads.strikinglycdn.com/files/0e78cbe5-5d1e-4b66-8b9e-a88365e0eede/95102680938.pdf
    • https://uploads.strikinglycdn.com/files/ad927cea-dd5e-4be7-8ce2-e3fd821e3512/hamilton_beach_countertop_oven_with_convection__rotisserie_31100.pdf
    • https://uploads.strikinglycdn.com/files/83db33ca-c0d6-47be-84e1-d79154347ec8/68115008087.pdf
    • https://uploads.strikinglycdn.com/files/d1466690-a5d3-4bdd-ba33-cd2639123a90/math_problem_solver_for_5th_grade.pdf
    • https://uploads.strikinglycdn.com/files/2e164343-982f-4a31-a92b-cdff22bf52ff/how_to_write_a_short_bio_for_a_new_job.pdf
    • https://uploads.strikinglycdn.com/files/c3d8c195-e134-4fe9-a232-a3c0e6643444/34555178286.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f4a.bin
d58f3979a13509843378424d7a1a46d913251fdab69d41508132be92c33891df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F4A 5320 bytes
font_01_sfnt_off00013147.bin
c489aeec4f8eae326c3afbb656aa98cfc040b4b4a5605d574c732f5258545ee5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13147 11660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.