Malicious PDF — malware analysis report

Static analysis result for SHA-256 c35651c49e0b60b2…

MALICIOUS

PDF

88.5 KB Created: 2021-05-22 15:51:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: db947c68519bfba1a22f059b5564910e SHA-1: 43ed4a5f36f62c00ffd194a1f50a4421c2a62069 SHA-256: c35651c49e0b60b237f4eedfd21c67948063f8db8353173ac27515a7468c05a7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are to other PDFs, suggesting a link farm or redirection mechanism for malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as Pdf.Phishing.Trojan. The embedded URLs point to suspicious domains, likely used to host phishing content or download further payloads. No scripts were extracted, but the PDF structure and numerous external links are indicative of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=guia+para+ingreso+a+secundaria+2021 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4416923/normal_60290d81281e3.pdfIn PDF document text
    • https://kesetemokeze.weebly.com/uploads/1/3/2/6/132682820/1331186.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470405/normal_606e16754e9ec.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4415929/normal_5ff5f98268593.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481510/normal_60297e5914840.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445320/normal_5fe2e673a4f1f.pdfIn PDF document text
    • https://kenometiwu.weebly.com/uploads/1/3/4/3/134340836/pedef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401696/normal_6058e44c144cd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454184/normal_6064bdfc3d127.pdfIn PDF document text
    • https://sodipojemip.weebly.com/uploads/1/3/5/3/135325099/f7ff784cb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485166/normal_5fffce118a86e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415046/normal_6019d5170a35b.pdfIn PDF document text
    • https://kazazurijufom.weebly.com/uploads/1/3/0/8/130814205/xunibexugotirig.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/8a0e5668-a98f-48d8-abea-a385fc309ddc/is_linksys_velop_good_for_gaming.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51f99fcf-897b-4edb-bcb0-71699dffc183/adding_and_subtracting_fractions_with_like_denominators_worksheets_kuta.pdfIn PDF document text
    • https://s3.amazonaws.com/gelawiweza/nazm_hikmetin_en_iyi_iir_kitab.pdfIn PDF document text
    • https://s3.amazonaws.com/ragejufa/how_to_send_unofficial_gre_scores.pdfIn PDF document text
    • https://s3.amazonaws.com/pojikovewijeja/lejazese.pdfIn PDF document text
    • https://s3.amazonaws.com/tetofamuxulil/26688855087.pdfIn PDF document text
    • https://s3.amazonaws.com/furunumaroxun/93241626529.pdfIn PDF document text
    • https://s3.amazonaws.com/sivanira/witofejifimisa.pdfIn PDF document text
    • https://s3.amazonaws.com/kevava/nekagatubososigonubosefe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101E4 1688 bytes
SHA-256: 48477a8605c0f309bcaa5d75dc5c71cf5c25b28177ea44e07a8c78a823b250dd
font_01_sfnt_off00010a43.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A43 5368 bytes
SHA-256: d56ec37b33d3824b2653fe2bc2724f3e4b1b14359825eeaaf2a1edf64b3db458
font_02_sfnt_off00011c8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C8A 12148 bytes
SHA-256: d5c10aaab7457843361d1ba4f63ddb86176771e08144e5125ff4ab6ea0fd0eea
font_03_sfnt_off000143aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x143AA 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c