Malicious PDF — malware analysis report

Static analysis result for SHA-256 c231e8f0fff49a3b…

MALICIOUS

PDF

76.8 KB Created: 2021-03-18 23:21:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f728da501b4df9f3823ab82aab6e729 SHA-1: e31b6a6a57d57e3ed19f21caf87bd298d1330e05 SHA-256: c231e8f0fff49a3b63544fc7db355ecc21a5ed6b9783d35098764ecc2a502846
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to Weebly-hosted PDF files, suggesting a link farm or redirection mechanism. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and the presence of external links are consistent with techniques used to deliver malicious content or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=the+stand+cbs+episode+1
    • https://garirebed.weebly.com/uploads/1/3/4/6/134669878/gutitapajemiz.pdf
    • https://tixanesel.weebly.com/uploads/1/3/4/2/134234664/tobijepuwut.pdf
    • https://jinunezig.weebly.com/uploads/1/3/4/3/134308797/nuzajer.pdf
    • https://mebemawadaj.weebly.com/uploads/1/3/5/2/135295691/dilajebaxuxoraguvu.pdf
    • https://lasapiboxemifol.weebly.com/uploads/1/3/4/8/134865682/6786849.pdf
    • https://gusijanuvo.weebly.com/uploads/1/3/0/8/130874241/lololama.pdf
    • https://woremudof.weebly.com/uploads/1/3/4/7/134701645/xeziwaxutidak_vutivexagajo_tarazenarixis.pdf
    • https://tuzuvujejoru.weebly.com/uploads/1/3/4/4/134442534/8979498.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f2a5518b-87ac-4815-99ca-7887104ffcdf/22017297026.pdf
    • https://uploads.strikinglycdn.com/files/3f8fd746-bf61-4d94-99a8-4bf2cb25722a/46204093572.pdf
    • https://uploads.strikinglycdn.com/files/eddf967a-0270-477a-bd78-1734553b1346/78959111075.pdf
    • https://s3.amazonaws.com/wupuxus/viritelaka.pdf
    • https://uploads.strikinglycdn.com/files/ffa6d2ea-0dc2-4cf6-9530-be3cb225a654/85428762102.pdf
    • https://uploads.strikinglycdn.com/files/f2a53ecb-05dd-4503-8937-2bf0dcaff86d/how_to_find_z_score_of_negative_number.pdf
    • https://uploads.strikinglycdn.com/files/832c2612-838b-46f9-9195-bc21f425f37c/little_red_riding_hood_book_picture.pdf
    • http://legofovivaxom.epizy.com/st_cathedral_church_goa_information_in_english.pdf
    • https://s3.amazonaws.com/tawovojo/jamifukofukidotino.pdf
    • https://s3.amazonaws.com/dutimajizowa/34122885788.pdf
    • https://uploads.strikinglycdn.com/files/dc96ab3c-4822-4b8e-a159-73501ded23de/power_pressure_cooker_xl_recipes_pasta.pdf
    • https://s3.amazonaws.com/palevijuj/word_document_blank_invoice_template.pdf
    • https://s3.amazonaws.com/ziwuvijevo/49763592837.pdf
    • http://soneloratugop.epizy.com/bylakuppe_weather_information.pdf
    • https://uploads.strikinglycdn.com/files/935a9610-d128-4610-9ba8-bcdf1b982447/guxonototufekixobipomujit.pdf
    • http://pipimadural.rf.gd/cajas_de_carton_english.pdf
    • https://uploads.strikinglycdn.com/files/493d7532-5b00-4c59-a40f-d910305358b4/aero_engineering_thermodynamics_notes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eeda.bin
979b1ac52171898fc0f98f8fe63d1d6ae743c15b5ee10c7e8cea3def4477854d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEDA 5176 bytes
font_01_sfnt_off00010070.bin
d810559faf34a906f98c3c3466b89546edbebd50863e1926c1f9c3dcd452cfaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10070 11136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.