Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0f64aaf7e0a8a3d…

MALICIOUS

PDF

77.8 KB Created: 2021-05-31 05:47:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: c918ca7b47d121387bdd236a3edcdbd1 SHA-1: 01d22f162248b986d915abff589ba17868731b66 SHA-256: c0f64aaf7e0a8a3d8dd79dff8e0d75fe1710e6996ed219d40bdf6f5d55d79684
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to domains commonly used for hosting phishing or malware. The primary malicious URL identified is https://seumenha.ru/123?utm_term=avancemos+3+textbook+online+pdf, which is likely used to redirect users to a malicious site. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=avancemos+3+textbook+online+pdf PDF link annotation
    • https://gisafumeg.weebly.com/uploads/1/3/6/0/136098567/sasibirut.pdfIn PDF document text
    • https://difodofixipa.weebly.com/uploads/1/3/0/8/130814112/piminulimubiror.pdfIn PDF document text
    • https://gokejaxax.weebly.com/uploads/1/3/6/0/136056436/jexeguto.pdfIn PDF document text
    • https://dewotime.weebly.com/uploads/1/3/1/6/131606762/wugejoroze.pdfIn PDF document text
    • https://lerorenoj.weebly.com/uploads/1/3/5/3/135390996/2767121.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d2f1e309-9ad5-493b-ace5-e15b56a72ea4/how_do_i_turn_on_arteck_keyboard_on_ipad.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d77d8fe-5dec-41a1-841b-95d253327da2/fluke_77_multimeter_fuse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39924683-b58e-4a72-afd2-e2f3da1fbc49/o_que_fazer_quando_o_beb_est_com_clica.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44e9f3a6-052b-4398-8a4d-71b6cdfac752/venapodep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0fcbcb5-fb02-459b-b413-0bd9330ff67d/gemixori.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ae04695-b285-46d5-9d1f-29514457372f/75548942159.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61d30850-a8c0-4467-91d2-b10334558444/amelia_bedelia_full_movie.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94bd877e-d3ca-4a7f-b012-afcec7284a7e/93838424275.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc2a622f-fe8c-44f9-bc26-5db74afac0dd/what_hydraulic_fluid_to_use_in_a_log_splitter.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc8c68ae-f20a-41ad-927b-52f6a60aefc6/gijowu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44b098b4-b396-4f56-8532-086f3efbdb40/how_do_you_know_when_catalytic_converter_is_clogged.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6c3aad8-d5c3-4181-8973-c7b9e912287c/kingsman_the_secret_service_movie_free_download_in_tamil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a21b305-bace-41df-bf3b-e1125108a477/dujimisajewa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eae8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE8 5688 bytes
SHA-256: 723aa8e75c6633599e569040b847a9e99ab06b1c99600935e3f5136c4f07daa9
font_01_sfnt_off0000fe3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE3C 12680 bytes
SHA-256: bab33597f2a7d897b5b3d225bf65f8cea64f39583f9701255a321a096f4d0c7f

Open this report in the interactive analyzer, or submit your own file for analysis.