Malicious PDF — malware analysis report

Static analysis result for SHA-256 c20e145c4820b27f…

MALICIOUS

PDF

85.4 KB Created: 2021-03-18 17:53:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4490d086d73dd63bb6aed77477666fe2 SHA-1: bc7ee3eef33b556acda915a259eac84c5501b87c SHA-256: c20e145c4820b27ffed13c05a53431bf0abb7e3f096e7a02dcf00d47aa2e87d8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, including one to 'https://xajibur.ru/wix?keyword=makita+mac5200+parts+diagram', suggesting it's part of a link farm or SEO poisoning scheme to direct users to potentially harmful content. The presence of embedded URLs and the overall structure point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wix?keyword=makita+mac5200+parts+diagram
    • https://cdn.sqhk.co/lisesemafo/hfZXBDf/92360128853.pdf
    • https://cdn.sqhk.co/sevijeruba/eoa44zM/chief_evil_spirit_crossword_clue.pdf
    • https://static.s123-cdn-static.com/uploads/4369516/normal_5fde0da3520da.pdf
    • https://cdn.sqhk.co/rebiguta/sihyyha/38412662395.pdf
    • http://givimemaregudum.sportsontheweb.net/99077903326.pdf
    • https://cdn.sqhk.co/keliziniw/cLjaNvp/91648738374.pdf
    • http://barajofa.mywebcommunity.org/11105722523.pdf
    • http://gopagafab.medianewsonline.com/zusagigunedaf.pdf
    • https://cdn.sqhk.co/gitaligido/egehfgf/murder_hornet_sting_coyote_youtube.pdf
    • https://cdn-cms.f-static.net/uploads/4467576/normal_6025724e4fad6.pdf
    • https://cdn.sqhk.co/dudurejavir/gVhjeip/fatexefepopivebefere.pdf
    • https://cdn.sqhk.co/naveropifo/gjie4jh/falling_waters_state_park_directions.pdf
    • https://cdn-cms.f-static.net/uploads/4447271/normal_6040a7c151f80.pdf
    • https://cdn.sqhk.co/zoboxoba/jicZ5mU/colorme_coloring_book_coloring_games.pdf
    • http://fazurusitu.getenjoyment.net/vulubefosedof.pdf
    • http://mavaxur.mywebcommunity.org/87208053547.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://b7f5b04e-b247-49a4-9dc0-39f0c843ec09.filesusr.com/ugd/b56f86_ff77a8018ae546d98173b87dc4415ce1.pdf?index=true
    • https://99516632-72ce-40f3-a9a1-a01c91361c65.filesusr.com/ugd/e42c35_631d169e08a8432184a950e2ab7ed9b1.pdf?index=true
    • https://50aad03f-9d2a-47e6-be13-abd12f321b17.filesusr.com/ugd/3fd638_5e137be052ce4ae293c1f42d60b047b7.pdf?index=true
    • http://xologikaju.atwebpages.com/how_long_does_it_take_to_learn_drum_rudiments.pdf
    • https://a2fe464c-28d1-4db8-bb2d-552ad9bc2f4d.filesusr.com/ugd/941bb1_f3a3b281fc1c44e791a450805c3028cf.pdf?index=true
    • http://bamonoxo.onlinewebshop.net/libro_de_fisica_3_secundaria.pdf
    • https://0b670cc3-d94b-4117-8b98-7ce677fb6c21.filesusr.com/ugd/7bc559_97d10fe610d9411faf32679797cc5a70.pdf?index=true
    • http://mijovutotukedes.onlinewebshop.net/niwofiniwisode.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010073.bin
a110d5decfe76377dadca17853ec1eecc58f1ad45f363612d4df17ce27bfe7c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10073 5280 bytes
font_01_sfnt_off0001126b.bin
4823262786314c6f3421f27cd812b249abe9d3ee914afb33bfcb4791b2b60ce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1126B 11204 bytes
font_02_sfnt_off0001386a.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1386A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.