Malicious PDF — malware analysis report

Static analysis result for SHA-256 c51444a6bdf239b3…

MALICIOUS

PDF

75.7 KB Created: 2021-03-10 17:48:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4be766196661f0c0531c27401849f889 SHA-1: d5e3a7f09bd71153a5257dd89f1bda87b76ef646 SHA-256: c51444a6bdf239b378f8e0d2c23b88257c05438c94e7293216ae7d9659259a24
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a PDF SEO link farm. One prominent external URI points to 'https://zajinet.ru/strik?utm_term=will+there+be+a+nerve+2', which is likely a malicious landing page. ClamAV also detected this file as 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0', indicating a phishing or trojan distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=will+there+be+a+nerve+2
    • https://jonolepazom.weebly.com/uploads/1/3/4/5/134520471/1cc4d27b91ba.pdf
    • https://static.s123-cdn-static.com/uploads/4443821/normal_5fe1282a784db.pdf
    • https://dajidavibaral.weebly.com/uploads/1/3/4/6/134606929/nafixalinenowe.pdf
    • https://static.s123-cdn-static.com/uploads/4459628/normal_5fcc01948206f.pdf
    • https://cdn-cms.f-static.net/uploads/4405193/normal_6014d909826b3.pdf
    • https://static.s123-cdn-static.com/uploads/4404123/normal_5fc6f07f7bdb6.pdf
    • https://tedagenuv.weebly.com/uploads/1/3/2/6/132682668/xuximafinixu-mukusad-mijivedi-fesivawunazazoj.pdf
    • https://mubatizusilaboj.weebly.com/uploads/1/3/4/4/134475350/4205e8bc6864.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xazarujokemus/suxefipokakeguj.pdf
    • https://70fbc5f3-53e4-4072-9ff7-a5862d19847b.filesusr.com/ugd/bb3bf9_eb105587d4a443d9af253f252da7e170.pdf?index=true
    • https://8271b8e8-1520-4b18-8785-2fafc8cd33e6.filesusr.com/ugd/efc97f_67445eed5e924dd5847c359c8f0d0e11.pdf?index=true
    • https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_6d9edbb3b0b7405089ad6695230629cb.pdf?index=true
    • https://s3.amazonaws.com/supefujoxopubu/cisco_ise_hardware_guide.pdf
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_792ecda6db084ca9b37ef77a97dc02c1.pdf?index=true
    • https://s3.amazonaws.com/makumapikeze/sodoravurewo.pdf
    • https://6d251753-49d0-4f5b-a278-10ed1cacc9d0.filesusr.com/ugd/5c139a_5406104dc0eb49a48afab3d793946e00.pdf?index=true
    • https://351e5f87-f9e5-4015-92cd-d601692b9ec3.filesusr.com/ugd/a0d0d3_96615afcd3fe495cacf50a5c3bc78f94.pdf?index=true
    • https://16fd3b15-5541-4454-9538-28daacbf497e.filesusr.com/ugd/e32576_8113d26796a4462cb2fc0b7914191e9f.pdf?index=true
    • https://s3.amazonaws.com/gofilafixu/too_big_to_fail_en_castellano.pdf
    • https://3568c1c9-c281-4b9a-9ea9-d5d291e0176b.filesusr.com/ugd/e5d8db_890a6fe25b544070b1ad4ec67e0760bb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f96ec148-e43b-4726-ba76-181b465f56ec/22960465735.pdf
    • https://uploads.strikinglycdn.com/files/7dd776e2-9097-43b3-9089-79a2024e5669/how_to_open_black_diamond_headlamp_with_screw.pdf
    • https://s3.amazonaws.com/fidobakipivogit/apple_support_iphone_guide.pdf
    • https://80b2a579-f9ed-4aa0-b91a-ac3c8973c086.filesusr.com/ugd/353d00_cd3f7d2313d44a88a06bd203d22a0477.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed28.bin
f16becc4271cdcfca654fe5738b656a549f37e710116cfc8d95938451fa2a0d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED28 4940 bytes
font_01_sfnt_off0000fdfd.bin
0a9056bb1de320da2bdcda68746421d995cbaaedac4b5dda484d8e561aac9e21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDFD 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.