Malicious PDF — malware analysis report

Static analysis result for SHA-256 c31e6eb75de923dc…

MALICIOUS

PDF

74.9 KB Created: 2021-03-27 15:25:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cf118dca337991b9564d6d184e0f79c3 SHA-1: b52f26ee71679465b7c12f11c6731068d6561f4b SHA-256: c31e6eb75de923dcaff914064faafec363d326bf31bad0c403f531b730a4d5fc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a primary malicious URL identified as 'https://jacksth.ru/wix?keyword=american+republic+activity+book+answers'. Heuristics indicate this is a link farm designed to direct users to potentially harmful content. ClamAV detection and ML classification strongly suggest malicious intent, specifically classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=american+republic+activity+book+answers
    • https://cdn.sqhk.co/zopimoforaja/ihGjgjb/25069636841.pdf
    • https://cdn.sqhk.co/sisadenev/SLjiLwP/murukitujem.pdf
    • https://cdn.sqhk.co/telazaje/7ifghgi/52587199460.pdf
    • https://cdn.sqhk.co/setuboluraje/jbjbghX/51356642814.pdf
    • https://cdn.sqhk.co/jevamivuvugi/gf0Qjht/61513380971.pdf
    • https://cdn.sqhk.co/vekosozob/fGgcshg/37683873202.pdf
    • https://cdn.sqhk.co/tosilura/dhhd8jc/15273352055.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/abcc4f7a-e0e1-4046-8ee6-5dbbc53d8bce/50836746787.pdf
    • https://uploads.strikinglycdn.com/files/b2e616f4-02c9-4159-a28b-f90c02a380b9/honda_odyssey_transmission_fluid_change.pdf
    • https://c7bff75e-0a19-4817-9d47-fca4cf08161b.filesusr.com/ugd/3b6424_336b6ba981ad4b7d883a7250aea74561.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fba4eb5-2921-44b1-81b3-e2bb43662464/what_products_are_made_in_america.pdf
    • https://uploads.strikinglycdn.com/files/13a4591b-9818-456b-824c-64af10c8baef/7411161169.pdf
    • https://uploads.strikinglycdn.com/files/e23ef032-7b7e-404d-91f3-90a8f50e58fe/whirlpool_gold_conquest_refrigerator_water_dispenser_not_working.pdf
    • https://4465b75e-e642-4f53-8c89-e22f0b9d4994.filesusr.com/ugd/ecd213_a2b92488b15b433883df3aa9a46c66b7.pdf?index=true
    • https://cfff6b0e-fc0f-4d9c-a983-c0e60c8b2bfd.filesusr.com/ugd/c637e3_2209912475c24f98b05d1b9792480d0f.pdf?index=true
    • https://7a9095e9-4ba3-4ff7-9406-a75d0382ce8a.filesusr.com/ugd/db93e9_585128d44b8c437da50403d60804199f.pdf?index=true
    • https://e0529b0e-ffd4-46ae-8a9e-348c3aa8e3ae.filesusr.com/ugd/27320f_2bda74982d1f493f980b074ad11b468d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc1186a7-8bd0-4153-a2bb-3bad7389d72d/xavuzijiwefo.pdf
    • https://uploads.strikinglycdn.com/files/ef075a9e-4c0b-4e2f-a004-2e4e7a59716f/the_giver_book_and_movie_comparison_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/fde21219-b2c6-49b9-89d9-4cb639c7408d/18.5_briggs_and_stratton_engine_oil_filter.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d840.bin
1785a2fb105c93aa439a16dc629f156f37b48e3024102cf20cce754941bb7127		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD840 5408 bytes
font_01_sfnt_off0000ea94.bin
cdd5d7874b3223eb88956624fc108be0959917a26e5c9680cb9ec590577eab9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA94 10456 bytes
font_02_sfnt_off00010e6b.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E6B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.