Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba1b97c9762fde07…

MALICIOUS

PDF

77.0 KB Created: 2021-03-22 11:30:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d385e4bc17979ae39a7f67adc23bbc54 SHA-1: 530939f149ead6dd2e37c8918799528e579bf927 SHA-256: ba1b97c9762fde07cd0a79c99329149b4fb990aa154b0202ad5bfc746c9967a9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a phishing document and hosts a large number of external links, many of which are likely SEO spam. The primary malicious URL, 'https://soxebez.ru/wix?keyword=cuisinart+toaster+oven+manual+pdf', is embedded within the document, suggesting a phishing lure related to product manuals. ClamAV detection further confirms its malicious nature as 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=cuisinart+toaster+oven+manual+pdf
    • http://frankiearvelo.com/rufus_wainwright_hallelujah_piano_sheet_music9ih8u.pdf
    • https://cdn-cms.f-static.net/uploads/4365539/normal_603a054b996f9.pdf
    • http://teasmall.space/avatar_izgi_film_izle_1._sezon_1._bx9edz.pdf
    • http://kofupum.mygamesonline.org/61937608893.pdf
    • http://fajujefa.getenjoyment.net/16134953806.pdf
    • https://static.s123-cdn-static.com/uploads/4368489/normal_5ffcde046e109.pdf
    • http://reduslim-eu.site/earthquake_san_diego_twittermrkoc.pdf
    • http://just-gopro.com/zedixerajswr3t.pdf
    • https://cdn-cms.f-static.net/uploads/4414695/normal_60303c8d49410.pdf
    • https://static.s123-cdn-static.com/uploads/4414691/normal_6006e737c7f36.pdf
    • http://larijasetejupaz.mypressonline.com/wipases.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/42a060cf-f780-44ab-bbc1-ec4223e82d75/remington_700_short_action_308_bolt_face.pdf
    • https://ced6af22-cf5f-4df0-9cd6-2d424634d287.filesusr.com/ugd/3eed2b_660e807d95a74c5e9fa9df41b1e5e715.pdf?index=true
    • https://uploads.strikinglycdn.com/files/954e8b09-2a26-47ba-8018-b7b1285b2e20/99029184643.pdf
    • https://uploads.strikinglycdn.com/files/ca271708-ab6d-4b0c-858c-c3a784769351/47694409033.pdf
    • https://fb3efafe-1b0e-41a1-9434-8bf556110c4a.filesusr.com/ugd/de5e41_0b540ff96fc44b53b4067a4f63b057d0.pdf?index=true
    • https://926da24b-d3df-4aea-ac1b-ebdf7359a9e7.filesusr.com/ugd/fef925_092d3a25029f4802ac95abdbbe841e4a.pdf?index=true
    • https://f38be386-5799-403b-9303-fb121113655a.filesusr.com/ugd/6f1aa7_38a3beb9959642f8a6036b249d893484.pdf?index=true
    • https://uploads.strikinglycdn.com/files/305eeb60-10d2-4a82-884b-f267bebb8ae5/reflexive_verb_exercises_spanish.pdf
    • https://631ffb88-cf2d-4844-8d6b-9338a1b21cc5.filesusr.com/ugd/d24e6f_d96a5b8f2bec45a7bc74813adf79ef31.pdf?index=true
    • https://3e1ae61b-6b68-46dc-8a90-d1c7a5b9f91c.filesusr.com/ugd/b8bbd7_225ceba6f6bd4a89b1aa9091a995f3ee.pdf?index=true
    • http://tapoloferazuziw.atwebpages.com/39656262357.pdf
    • https://uploads.strikinglycdn.com/files/bd33c463-718c-46c4-8ea6-1bc82cf0f8dd/28041603016.pdf
    • https://b01cffea-7a05-49e8-9781-04202a21c04b.filesusr.com/ugd/d5d855_ae18a0f3db314230aa80c3e7384f3faf.pdf?index=true
    • http://xenexafa.myartsonline.com/6174596449.pdf
    • https://ba3a7bb5-edd2-4228-b29c-cf272df6a868.filesusr.com/ugd/bd1c09_a10cadc2b50d4e01a3d6bd2f6a09cec5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efb1.bin
3d82c4a4e0f39be313dcd4a8b72802e8e9db843d346632ac0bb948818cd9d8ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFB1 5152 bytes
font_01_sfnt_off00010126.bin
e650bcf9060571d8cc5b337b72cd09d7a9efa3a00c45b113d6c25d3f45c37b79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10126 10868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.