Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4006333fc505f95…

MALICIOUS

PDF

69.9 KB Created: 2021-03-09 19:12:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2033ac48b49a1bb270b6ed6a07d07a83 SHA-1: 97e9743dbbe110585ca82f4a7ee9cc5ae621be19 SHA-256: c4006333fc505f95a0e51ebd514f713d6a519688f8f1db2ed971bd62073c06ea
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a critical heuristic identifying a 'PDF_SEO_LINK_FARM' suggesting a large number of external links. One of the primary external URIs, 'https://pelibifir.ru/123?utm_term=hygiena+systemsure+ii+manual', is flagged as suspicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery. No scripts were extracted, but the sheer volume of external links points to a content-farming or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=hygiena+systemsure+ii+manual
    • http://vikiduxa.mywebcommunity.org/juzebijed.pdf
    • https://xafusotegemuwif.weebly.com/uploads/1/3/5/3/135304795/2522995.pdf
    • https://gotenalonas.weebly.com/uploads/1/3/4/3/134372716/76bd35e02199.pdf
    • http://taxevidel.medianewsonline.com/mobility_scooter_battery_change.pdf
    • https://zuzefeza.weebly.com/uploads/1/3/1/3/131397950/rawik-fetesawow-pudiv.pdf
    • https://puwedogomep.weebly.com/uploads/1/3/1/3/131382223/8c2e9.pdf
    • https://lobodilogiji.weebly.com/uploads/1/3/1/3/131382226/dutejozinekiluk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xenavuxa/clickup_task_templates.pdf
    • https://8ac5c8e1-9174-427d-95c2-90bebb9f105a.filesusr.com/ugd/44b221_a3604bd82d9e4916a168df88fbc1f25d.pdf?index=true
    • http://zusaxadixuxot.myartsonline.com/what_is_proving_in_mathematics.pdf
    • https://9eb5ee95-128e-4115-bcd6-d8db8525ce49.filesusr.com/ugd/9904c2_cc76a7076fa849c09298fa2cc49d3319.pdf?index=true
    • https://b5f169ef-6bcf-4d19-a24b-32bdc9dd7a5f.filesusr.com/ugd/2e79a6_b8616d18458649dfbb1389d1aeb3ad25.pdf?index=true
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_b36f1e1da5d1469692c0d024d42aa9a8.pdf?index=true
    • https://6525eaf8-9a42-4119-9fb4-c3d475b3b78e.filesusr.com/ugd/80bfa9_9efc2442b5024abfa338d45a66640c77.pdf?index=true
    • https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_0b1cbda352bb4aa7ac366fced13f02f4.pdf?index=true
    • https://s3.amazonaws.com/kudowo/dolanulebema.pdf
    • https://uploads.strikinglycdn.com/files/21089142-67d0-4d62-a4c6-78d6f54d0a02/speed_queen_washer_error_code_er_fl.pdf
    • https://uploads.strikinglycdn.com/files/ab643a72-065a-43d3-9bb0-e05195ca077a/43320629854.pdf
    • https://50fe66f1-00be-429c-ab6c-57a9f80d6ab9.filesusr.com/ugd/39cb9d_44a9752b649e4739b71ed8dd368ed53f.pdf?index=true
    • https://3c8d80e7-2998-4b53-b1db-ea2053e4eee2.filesusr.com/ugd/5c8c55_8bea08508b8d4198afab119f7055cf6b.pdf?index=true
    • https://2a07c75e-e898-48ba-b326-4cccc82d0599.filesusr.com/ugd/ff154e_bc71b37f2fb64d6ba2d82ff659306128.pdf?index=true
    • https://ddc7b23b-31e5-4b5c-aaad-d3b7cef26861.filesusr.com/ugd/e506b8_f6c393d8a79047ce900027ae6d71df53.pdf?index=true
    • https://s3.amazonaws.com/varolexexus/xoligomavuganux.pdf
    • https://s3.amazonaws.com/gogunabones/google_chrome_extension_video_stream.pdf
    • https://uploads.strikinglycdn.com/files/f7a51b9d-af7b-48fb-a98d-9f5b573f8772/ikea_malm_bed_frame_parts.pdf
    • https://uploads.strikinglycdn.com/files/09633efc-4c25-45f9-aa20-f5aad29c5864/safety_first_infant_car_seat_replacement_parts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d5fe.bin
ee6cd1dc71cddd6eb90e4780304412392c176fe00fca3ac7abfc75ae95642e1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5FE 5068 bytes
font_01_sfnt_off0000e731.bin
34ac37ce9df65b0e893cb9be8744279d2a131c79e7e0eb9c44c4f93d23577aaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE731 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.