Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0e4cf6a9c67216e…

MALICIOUS

PDF

92.1 KB Created: 2021-04-25 02:18:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25ab9ea7419cabc91b047a4f67f71dc7 SHA-1: 1953eed04a3e3136fbeaef4d6933c265749c0823 SHA-256: c0e4cf6a9c67216ee521b44977a558d2b5b652acd5ff23a6b19b1ac9b08e5d21
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a link farm, containing numerous external links to various domains, many of which are hosted on disposable or dynamic DNS services. The primary URL, 'https://jumiwimov.ru/strik?utm_term=oxford+new+syllabus+mathematics+7th+edition+book+1+workbook+solutions', suggests a lure related to educational materials. The presence of a high ML score and ClamAV detection indicates malicious intent, likely to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=oxford+new+syllabus+mathematics+7th+edition+book+1+workbook+solutions
    • http://nipikul.22web.org/cambodian_language.pdf
    • https://wijugola.weebly.com/uploads/1/3/2/3/132303023/5146760.pdf
    • https://zorusijumabek.weebly.com/uploads/1/3/4/8/134851431/5838724.pdf
    • https://negowuvezesat.weebly.com/uploads/1/3/4/8/134859399/ratizoxilupekan.pdf
    • https://galezarulunozip.weebly.com/uploads/1/3/4/8/134896955/c31a0c9118.pdf
    • https://jivixetikuzi.weebly.com/uploads/1/3/4/7/134745571/jafadinulun.pdf
    • http://livelaj.iblogger.org/fexalozinetebalu.pdf
    • http://wozilimesiz.mypressonline.com/butcher_s_crossing_download.pdf
    • http://gifavojam.scienceontheweb.net/1439584085.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mosujala.rf.gd/zelogavukibed.pdf
    • https://4ad55601-b8ab-4ae0-bc0e-e90069072326.filesusr.com/ugd/3aca14_968ef26067ad4e50a151153d3aab2b1e.pdf?index=true
    • https://6ce95562-7558-49ee-a7b0-b3003db3b0e9.filesusr.com/ugd/d13e1f_a7db00ee078343769b88119a10e5f550.pdf?index=true
    • https://36d3fe4d-ce77-4ecd-ae21-04b42370c250.filesusr.com/ugd/871c54_6baf09632bd547f092f52685118b677f.pdf?index=true
    • http://lolukojalima.epizy.com/kogumorimuboborobugedu.pdf
    • https://caa91486-5fcc-43b7-8b2b-5b817ae85bbe.filesusr.com/ugd/26bbcf_c57eb25deb7b4c71b46a2dad37b3d51c.pdf?index=true
    • https://s3.amazonaws.com/lurutopobi/forged_by_fire_chapter_1_and_2_summary.pdf
    • https://s3.amazonaws.com/bupijila/giving_instructions_worksheets.pdf
    • http://puvafimawebeka.epizy.com/advanced_transport_phenomena_gary_leal.pdf
    • https://4c38db24-2924-4bf2-81c9-04860d987a69.filesusr.com/ugd/a68d8f_5fcd183cc9bd429686d45bf88bd126f6.pdf?index=true
    • https://s3.amazonaws.com/rodiligarexo/zewudofiwodufigu.pdf
    • http://diretisen.rf.gd/angularjs_projects.pdf
    • http://nolonogatifotop.epizy.com/bolizizeg.pdf
    • https://s3.amazonaws.com/sisaxu/xulimuguz.pdf
    • https://s3.amazonaws.com/lorerexeg/91214405171.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f7b.bin
44c3dfe61bde898b28afdbf36abecf1d0da0f93f28f78455872c3c6b32977972		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F7B 5888 bytes
font_01_sfnt_off00012388.bin
88d63632a3fded12d15e229868b1ea12ff93c846afa54acbf53252a6e1440449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12388 12120 bytes
font_02_sfnt_off00014c6d.bin
532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C6D 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.