Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9b30f5f1900d59a…

MALICIOUS

PDF

83.7 KB Created: 2021-03-28 18:44:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4ad279781b62390c8561b57c8299c89 SHA-1: 2a9cfd8b0afd42e736ba3b97eae190dd1259b4eb SHA-256: b9b30f5f1900d59a77e760188bcbf8fb4c876cd81dbfeff5b01e106161905515
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, with one heuristic specifically flagging it as a 'PDF_SEO_LINK_FARM'. The primary malicious URL identified is 'https://jacksth.ru/award?keyword=vertical+farming+journal+pdf', which is likely part of a phishing or SEO spam campaign. ClamAV also detected this file as 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0', further indicating malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=vertical+farming+journal+pdf
    • http://xuroriwonufuz.scienceontheweb.net/tovavoxuzobaloxo.pdf
    • http://vodizurulenega.mypressonline.com/cefr_french.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9275594b-a310-4461-9ddc-66591e82027d/soyajoy_g4_instructions.pdf
    • https://c63359c4-faa5-40af-ad11-254ddd3d100c.filesusr.com/ugd/838c33_14cb377304344173bca9f1bf4793956e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/934fa467-8ec6-4787-b091-c40430c64973/how_to_use_divination_cards_path_of_exile.pdf
    • https://e4034479-4ead-418b-af8c-5be8dc72bdbe.filesusr.com/ugd/1e8759_79f60c441b9b434ea4a225d4ca85aca3.pdf?index=true
    • https://0e8f88b9-656e-4b05-9cd8-8bd477f85547.filesusr.com/ugd/95b9ea_c8c01109f0434fcbbc48413b3301923e.pdf?index=true
    • https://04a80c79-134c-446e-801b-0c1635678e59.filesusr.com/ugd/5cebf8_18daaadbe9824c5fb52b7c2471b9555f.pdf?index=true
    • https://562a32fb-e9c8-4d8f-ac7e-a760da58c396.filesusr.com/ugd/68ec97_2a11a6fe989c44bb914caa17a46d83bf.pdf?index=true
    • https://d70b1dc8-7d09-4148-9854-e6a7cae1b87b.filesusr.com/ugd/5899d5_3a1e842195d345e0a157196ec3d4b411.pdf?index=true
    • https://8b2103c5-345b-48fd-98e3-f19c90c4efd0.filesusr.com/ugd/0e2875_47e311bce19943439933942525777668.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0a5475ae-0945-4861-bb23-bb821c2d7b9d/you_majored_in_what_chapter_1_summary.pdf
    • https://ff5ab256-a407-4697-91b9-141751226614.filesusr.com/ugd/4205e4_f316225564ee48698dbd88542e28dd12.pdf?index=true
    • https://uploads.strikinglycdn.com/files/aa1511c1-41a4-4b36-8e86-02e2c1afe9a2/jazukenofekonitofival.pdf
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_56342a28e0594805bbd61215873b2408.pdf?index=true
    • https://uploads.strikinglycdn.com/files/208d6a4e-b09f-4ff5-a6b2-b17210cca8e5/list_of_paladin_oaths_5e.pdf
    • https://uploads.strikinglycdn.com/files/a95fcf71-e0b4-4ab9-9f36-d23031dd5461/enthalpy_of_combustion_of_methane_graphite_and_dihydrogen.pdf
    • https://24b051fc-04af-4e2d-8b9e-4e75c06063ec.filesusr.com/ugd/1a488c_158e7b61b713475c90d76ce6e4e5578b.pdf?index=true
    • http://zerowegujij.onlinewebshop.net/antecedentes_historicos_de_la_mecanica_fisica.pdf
    • https://uploads.strikinglycdn.com/files/2a90c3bb-bf52-4be1-bf0d-d56211972a21/woodworking_for_dummies_review.pdf
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_763146a4d25d4de28b6cbca45b97e887.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010821.bin
63ca98b64d841fc7c6b6248e5aa581d95ce2ec64570e983586d14c5d8ce11a65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10821 5340 bytes
font_01_sfnt_off00011a3f.bin
d406e228c11daf2fbf10b4935d6b61abbd893cda7c5f61b760602a5dd431b080		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A3F 12252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.