Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8d8ed287741feb8…

MALICIOUS

PDF

76.8 KB Created: 2021-03-27 17:12:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb2840a83f16a663f091ce6246371a26 SHA-1: 9538619635bc69b255b0b9737a8b0c6bd3c1fb73 SHA-256: b8d8ed287741feb82260ed0bf8619381982ee1ef83bddb7fbe1d4e8b8c711fc3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm, directing users to a suspicious URL. The ML classifier and ClamAV also flagged this PDF as malicious, specifically as a phishing trojan. The embedded URL likely serves as a lure to a site that may host further malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=wacky+wednesday+book+answers
    • http://winatesef.sportsontheweb.net/is_amazing_fantasy_15_a_good_investment.pdf
    • http://basagutidabe.sportsontheweb.net/ziwoxojibidovan.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/73d35941-53b7-4c59-b4d9-ee1910f2ffc8/texivisejetizevitetaruko.pdf
    • https://uploads.strikinglycdn.com/files/cd2960f1-d678-4737-aa24-aa633d54773e/7272419395.pdf
    • https://s3.amazonaws.com/rirusozo/facebook_android_app_timeline_review.pdf
    • https://237a2310-9536-43ad-add1-fe73b840a51a.filesusr.com/ugd/8b319d_5d01cd4628604fcc915a3d5eb3f6ffc6.pdf?index=true
    • https://3ae4d138-4ba3-4962-98fb-1b98b40a6a82.filesusr.com/ugd/38062a_edd98ea5169041ddb3dcbba8b6468dac.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fd81d7e2-c8f1-4c6f-82b6-3208833f2d1a/arduino_projects_for_dummies_download.pdf
    • https://uploads.strikinglycdn.com/files/69784cd5-ac92-4e91-a5cc-6de517c99653/us_constitutional_law_book.pdf
    • https://a146b927-ed54-472d-b3a8-6b137e313b92.filesusr.com/ugd/4d400c_41085521141143178a8104f718d1fdd0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/69f33477-7c70-4ccd-a13c-890ceb27cd53/gapapaninu.pdf
    • https://s3.amazonaws.com/toliwudalamem/penubiwevuwiwogafulikir.pdf
    • https://uploads.strikinglycdn.com/files/e45f671f-3395-4f5f-860f-9ddffdcadf67/tanogowi.pdf
    • https://6376acfe-5884-4251-b3d5-19a03c044549.filesusr.com/ugd/de3d83_a379dd33191e49ec8ad8af228099195c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c351281b-0de7-429e-b89c-dcfa0876dcc3/geneva_bible_vs_kjv_1611.pdf
    • https://uploads.strikinglycdn.com/files/2b2c917c-1efa-4b3b-97c5-17bce202601b/yahoo_finance_stock_market_news_live_updates.pdf
    • https://s3.amazonaws.com/vunizi/47268998532.pdf
    • https://uploads.strikinglycdn.com/files/12d36201-5613-4e6f-818c-3a4e73c7657d/vajedumefibug.pdf
    • https://s3.amazonaws.com/luramamelolem/debovi.pdf
    • https://s3.amazonaws.com/rafiralexezol/difference_between_formative_assessment_and_summative_evaluation.pdf
    • https://uploads.strikinglycdn.com/files/d6d87d27-9689-40ac-9e3d-44fb550aec94/msi_h81m-e33_bios_settings.pdf
    • https://uploads.strikinglycdn.com/files/baf606ac-30d6-4c1c-a63d-db4e1890a539/what_to_learn_first_in_arabic.pdf
    • https://uploads.strikinglycdn.com/files/f9d13ff4-2743-4c9d-97ee-99d2e25b1bad/best_multiplayer_survival_games_on_steam.pdf
    • https://425e2ee7-996f-4c6d-a593-b44a2a39b733.filesusr.com/ugd/bb05c1_99c5190162c84877ac945732fa4fcab9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed21.bin
f74e64b55ce2b75c1c7244d8fea1e0a6f3bdd26dd5bcaab9537ce7dcfec96db0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED21 5312 bytes
font_01_sfnt_off0000ff5e.bin
32410f6ea973be976204b423adc072c3ec5b730035bff563c270f6c6338bb995		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF5E 11304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.