Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8a5849f92390c22…

MALICIOUS

PDF

79.0 KB Created: 2021-03-16 14:15:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98556cca623ada58763be6683c1987d8 SHA-1: 890c897cbdab0604a8b6f05ba1688e150ba92515 SHA-256: b8a5849f92390c22fd7d55fe8af6d72e5b88368747adb546f60550c4893d42ff
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, including a significant link farm detected by heuristics. The primary lure appears to be a 'Dewalt d55168 air compressor reviews' topic, which redirects to suspicious domains like jacksth.ru. The presence of a large number of PDF links and the ML classifier's high confidence score indicate a malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=dewalt+d55168+air+compressor+reviews
    • http://reduslim-italiaufficiale.site/tegijokafowawdcx7a.pdf
    • http://operationhomeplate.com/elitedesk_800_g4_tower_datasheettlgaa.pdf
    • http://secureappeal.com/puzevigomenujobevaze6na5.pdf
    • http://capridigi.com/audio-technica_at-lp120xusb_manual_direct-drive_turntable_bluetooth66ezd.pdf
    • http://itrom.fun/fono_ingilizce_gramer_kitabmueua.pdf
    • http://daravto18.ru/what_are_the_characteristics_of_transcendentalismwte7y.pdf
    • http://digitalcalakk1.xyz/10885063491mvc38.pdf
    • http://parhelifrl.space/burger_king_coupons_bis_junibq4uy.pdf
    • http://pogadai.xyz/gojigunesiporabebesexila8033l.pdf
    • http://copytoshka.ru/3100031948eh4si.pdf
    • http://bitjoms.xyz/febibtt1hq.pdf
    • http://vsedlyatebya.xyz/munegiw0zgi.pdf
    • http://lnstagramverifiedbadge-media.com/20241447869ogkl1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e148473a-3d1a-46f8-b788-fbc1f5af68d4.filesusr.com/ugd/e1e70b_4790762925894706b9092f81c4c06140.pdf?index=true
    • https://5741878b-e18d-4492-8bbc-c4e6c6b1c8bf.filesusr.com/ugd/e5a943_14228c343ef743bfbc81a4e8ba3250c0.pdf?index=true
    • https://adea4596-07c4-4c45-ba97-107779ed6dc5.filesusr.com/ugd/5bd9e2_5b5def46a6aa48a9a75b132c4f90cca0.pdf?index=true
    • https://s3.amazonaws.com/rekorewexidiwo/pleasant_hearth_pellet_stove.pdf
    • https://910f927c-c14a-4f96-9c93-5d5479f593cd.filesusr.com/ugd/3254bf_0fc0e66b62b049a49188aee5b995030a.pdf?index=true
    • https://368af19b-b9be-4417-8ea7-dfc4611f9fec.filesusr.com/ugd/abd4c0_0b08860602b647c7ab3a86ebf1a5529f.pdf?index=true
    • https://a3de454e-1598-42bb-a259-4eb69c42f179.filesusr.com/ugd/fb5067_5257c684675f4585a29ac15e89ef7ce1.pdf?index=true
    • https://75e6061f-eb7a-4ce8-b546-077bf96366c3.filesusr.com/ugd/2dfd19_48bad3c79acc4d178e33dfd9be685d6e.pdf?index=true
    • https://20128683-61eb-4207-b985-d468b1a81fea.filesusr.com/ugd/0049ca_6dd4b21100dc40d18e8b56a9985c14bf.pdf?index=true
    • https://s3.amazonaws.com/sulasatevirexo/dokuxiditip.pdf
    • https://s3.amazonaws.com/mokixetat/kung_fu_panda_3_villain_theme_song_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f364.bin
bbbffe754fd0e6d7011f947bb56e49950e5274452db1ef34aa0cf572657c1df9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF364 5896 bytes
font_01_sfnt_off00010780.bin
483dff47b4a9b81d9a4da2ea4c3638a489917b5f144ba5b046c0fbd69042eb84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10780 11572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.