Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd1167f49d17b42f…

MALICIOUS

PDF

88.0 KB Created: 2021-03-21 03:42:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9205f1600a17cf4c92ee7cec624a8489 SHA-1: 20b55c15d515926df2937c607f963ad98b8c47a5 SHA-256: bd1167f49d17b42f6b1851989a57aa6641477ff5e1cce8df575a087e2702a146
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'jumiwimov.ru', which is likely a malicious domain used for phishing or malware distribution. The PDF's structure and content suggest it's designed to trick users into visiting this URL, potentially as part of a broader phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=infamous+first+light+trophy+guide+ps4
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8bffec28-9acc-48dc-8c63-c4ca5a663fb9/pdf_to_jpg_converter_software_free_download_for_mac.pdf
    • https://s3.amazonaws.com/likadojivivofu/davinci_resolve_16_free_templates.pdf
    • https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_823a28a9e8e7422eb604eb7dc078a5db.pdf?index=true
    • https://s3.amazonaws.com/zinudipir/jalepevirek.pdf
    • https://d4180a97-8dd0-4bf1-9e2f-d1b128d1a64d.filesusr.com/ugd/ae059d_1044f73356e64ef5bc38165cb0a955f2.pdf?index=true
    • https://04a80c79-134c-446e-801b-0c1635678e59.filesusr.com/ugd/5cebf8_93d5bed43cc24676840ead831265899b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1f4df627-a0db-4301-b90a-16a6d7342ec4/kenava.pdf
    • https://uploads.strikinglycdn.com/files/f1525b1c-5f27-4abb-b857-7f6581feb3c3/30099772077.pdf
    • https://9a60fab3-6fb0-4be7-9305-b2e3cc44d963.filesusr.com/ugd/811c4f_5fe6a8547f9d4ba2824d5696cd6c88de.pdf?index=true
    • https://19aaccd0-9772-41b6-85c4-be118606641a.filesusr.com/ugd/a12125_96141cc546384e45a1e3227245cc6297.pdf?index=true
    • https://s3.amazonaws.com/lizuseguwix/genie_intellicode_reset_code.pdf
    • https://466f9527-ada3-48b4-ac0c-4ba5546996ca.filesusr.com/ugd/a4b6b9_982c536ca57442908820f1b5d06f0cc1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/30376df6-f5db-4578-bc1e-df977f84c4d7/xbox_one_controller_lb_button_stuck.pdf
    • https://uploads.strikinglycdn.com/files/e774ea80-12ba-4054-bcd0-e303c739c501/54255862313.pdf
    • https://85d2c5a2-fc31-4f76-86b4-4ebe2abe2bf4.filesusr.com/ugd/a8cc01_06f9bc6013fd4309b23881b9bc4aaaba.pdf?index=true
    • https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_afc722e6d0174fbdb14fed5073cb2dd0.pdf?index=true
    • https://4fd7ac12-06e8-439c-96a9-7636004ccb32.filesusr.com/ugd/9554ab_242212655abc42feb88ecae8932ecae5.pdf?index=true
    • https://s3.amazonaws.com/xifabilejilab/bow_wow_images.pdf
    • https://uploads.strikinglycdn.com/files/9e7bc553-b299-4746-a079-fdc9df39f654/audiolibro_gratis_el_hombre_mas_rico_de_babilonia.pdf
    • https://eaae50f7-3b1c-4f1b-9b3c-e2a48377569d.filesusr.com/ugd/b96e41_0bcaea994d53462dbad23594a39eb34b.pdf?index=true
    • https://13fad4bf-7224-44b3-802b-16842e97d241.filesusr.com/ugd/b14664_f88056dca7d84ad6847f074c0eaa3491.pdf?index=true
    • https://07f52280-50dc-49c2-beec-a2e30bf849d0.filesusr.com/ugd/7b8f90_fbb1f45dfba74d5faef41c2643e8b623.pdf?index=true
    • https://770ad53b-b55e-4e58-b1eb-3709f41304f7.filesusr.com/ugd/98e298_9dd4ae33820143ac88d2a4c16ae00d14.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000116b2.bin
df926311b533118c3e197b58c7eba8a4a3766fb25bbe110b46d5ede06d6c4099		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116B2 5584 bytes
font_01_sfnt_off00012994.bin
403a29d1f39a9321de577db75513af469dee38f0a4678735b72b38b1dc9ff5ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12994 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.