Malicious PDF — malware analysis report

Static analysis result for SHA-256 bba6fb1234ad15b6…

MALICIOUS

PDF

75.0 KB Created: 2021-03-25 05:00:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e261279216f295d521b0533f2ff75f97 SHA-1: ef16d8d45ac81bee2e286a883a2dab44f328dd57 SHA-256: bba6fb1234ad15b66d7a1577bd049a7e53185600b2de2753e06c517bfbf5f4aa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized to appear as relevant search results. The primary URL, 'https://lozipotod.ru/award?keyword=antibiotics+not+safe+in+pregnancy+pdf', suggests a phishing or scam attempt by luring users with a seemingly relevant search result. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or content-based scams.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=antibiotics+not+safe+in+pregnancy+pdf
    • https://fanonobumoxevo.weebly.com/uploads/1/3/1/3/131384335/3644076.pdf
    • https://biweworu.weebly.com/uploads/1/3/4/5/134525234/jiwuretedefamawodadi.pdf
    • https://sifuzulujiw.weebly.com/uploads/1/3/4/7/134716539/gejamiwuveja-nosupapesa.pdf
    • https://sisareses.weebly.com/uploads/1/3/1/4/131454440/vorereg.pdf
    • https://poginatiru.weebly.com/uploads/1/3/0/8/130874277/sojolilafotez.pdf
    • https://pezujotage.weebly.com/uploads/1/3/4/3/134318684/52c456.pdf
    • https://welavomuwaj.weebly.com/uploads/1/3/4/6/134633166/4180670.pdf
    • https://luxiwejewukon.weebly.com/uploads/1/3/0/7/130738755/momekurex_jixotokumuvupi_pegix.pdf
    • https://tenemetit.weebly.com/uploads/1/3/2/6/132696414/melasosejukowope.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f87ce62f-3d5d-4c42-bff3-2e7d00444551.filesusr.com/ugd/72ed28_53aa1d00669844af84957dc13e794b44.pdf?index=true
    • https://dd7ee03d-3646-4e01-a1e1-4c0a7e2c9e57.filesusr.com/ugd/d7ba0f_d58bc1f10ed24063b900bccaf7626b92.pdf?index=true
    • https://uploads.strikinglycdn.com/files/08963ff9-715e-402c-908a-c81e16ad454e/magnavox_vhs_dvd_player_remote.pdf
    • https://uploads.strikinglycdn.com/files/cfe0017f-69f2-4492-b56f-cf267235ce62/kobalt_26_gallon_air_compressor_manual.pdf
    • https://s3.amazonaws.com/sitok/crib_size_bed_sheet.pdf
    • https://uploads.strikinglycdn.com/files/692c3a85-7526-4fc6-b2ae-6d3859f97088/lotixuganuwudelowevute.pdf
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_a7f42571fb8d4c678c9e9b6618bc76c0.pdf?index=true
    • https://6cda4dd4-8aac-43e7-8003-7c0eea9f7907.filesusr.com/ugd/34e26e_20e6f55096a74df0bf15c83f18487ca9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9466922f-c221-4441-a025-d59a048ce6bb/17377520307.pdf
    • https://s3.amazonaws.com/xarojapi/mahlab_salary_guide_legal.pdf
    • https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_a6dcdebff4e7498295982a70f1f0ae8a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/98b46735-cff3-4daf-ad8b-6a09e3d31842/6003451575.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e786.bin
6689d812d0a6a74fbc99de2eeb440328a457038b3a8b064e525081c9dfc72b89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE786 5524 bytes
font_01_sfnt_off0000fa66.bin
496c07d4c1c420ebdcec53c8efa1536500ada242ca244aaf83d801d41e5c51cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA66 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.