Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9a25ce9d7046782…

MALICIOUS

PDF

92.8 KB Created: 2021-03-30 03:18:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9862b4dc72689e730d53c1fc6b96c619 SHA-1: d04526b6771fd8a004fb7bb52bc00619dd476089 SHA-256: b9a25ce9d7046782b43b543f63aeb3239149bf3d5681a11733691157b92a7f29
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating high maliciousness. The document contains a mass of external links, many of which are SEO-optimized, suggesting a link farm or traffic generation scheme. One of the primary external URIs, 'https://jacksth.ru/wix?keyword=female+reproductive+anatomy+diagram', is likely part of this scheme. No scripts were extracted, but the PDF structure and link farm indicate a malicious intent to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=female+reproductive+anatomy+diagram
    • https://cdn.sqhk.co/kulobibab/f5hjAhb/running_shoes_sale_mens.pdf
    • https://vesixogis.weebly.com/uploads/1/3/4/8/134863987/f8222f.pdf
    • https://cdn.sqhk.co/simizekovogi/vhcddhi/planetary_annihilation_unit_limit.pdf
    • https://xapunuzut.weebly.com/uploads/1/3/4/6/134683745/95f34b4b19e.pdf
    • https://tokegomobox.weebly.com/uploads/1/3/4/3/134314144/5c89238a21a8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://36fc1fe3-b646-4cc1-b6e9-de51469aea27.filesusr.com/ugd/3eb4bd_b69d128ad0cb44468a88b0d066fcb9ae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fb750a0a-a159-4d75-ab46-e4980cb9d5a7/reposition_yourself_living_life_without_limits.pdf
    • https://uploads.strikinglycdn.com/files/f4fdf14f-eb0d-456a-81ac-92c8a8962854/44086485589.pdf
    • https://uploads.strikinglycdn.com/files/8d5893c3-57b8-44c5-857a-f439a7561cc6/nitefokidu.pdf
    • https://6ba7316d-b84b-4ccb-a32a-103c856d4013.filesusr.com/ugd/91f37e_791f36fabcc7425b9b9dabba8c1dcede.pdf?index=true
    • https://e809654a-a95b-4dbc-a338-24085255a2f8.filesusr.com/ugd/1b6cec_f79bcbde598241198654144f6f984622.pdf?index=true
    • https://uploads.strikinglycdn.com/files/99a0c6ba-209c-4034-8a73-25bd7905e668/pajevibomamipaw.pdf
    • https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_a6911f1a25d6485087de577a7d994e46.pdf?index=true
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_ff34f6ee42334b37b194a117d2737a7c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1718775b-0ee4-43e8-a2a2-3b16b7535a04/zadefomej.pdf
    • https://uploads.strikinglycdn.com/files/06e9ba1c-1732-4d9a-b41d-88ae78f7a45d/14083056915.pdf
    • https://uploads.strikinglycdn.com/files/af83b227-8457-4dea-9e88-84d09e970d83/sql_for_dummies_review.pdf
    • https://c81c1a69-aec6-471c-ac34-7a6800eafc69.filesusr.com/ugd/9ef1ea_f845661d62834ec6965b9ea95ae0fad8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/02624141-fb52-4613-bd7b-753425b95689/how_to_use_my_mophie_wireless_charging_base.pdf
    • https://eee7329a-c4d5-4508-a8fd-a8ba515f7d9f.filesusr.com/ugd/5ed802_b0e6dbfa6d65466484f368f733c2f517.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7032981f-e579-4008-ad87-cf6f111659db/kobalt_air_inflator_reviews.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012f8d.bin
82e8ceb57a9cc829b3a1159ef4e3d3ba56412e0e5cbff391c4646285f409f0b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F8D 5332 bytes
font_01_sfnt_off000141a9.bin
2f56116a4bbee8f125a8b73deb2396731685ac742c1753fc59d0b55d64c95a43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141A9 10880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.