Malicious PDF — malware analysis report

Static analysis result for SHA-256 c71122ac9914c9bb…

MALICIOUS

PDF

81.6 KB Created: 2021-06-03 20:27:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b92df8165e63cefa986dc535a6235c2 SHA-1: 77250565da48f19bb01720095533137fc6a757fa SHA-256: c71122ac9914c9bba31cad9d8da85e24e779018f67f7ee3ca79ea6f615fa0ad9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking documents, but one key URL, https://philabc.ru/pbw?utm_term=the+astonishing+color+of+after+free, is flagged as malicious. This suggests the document is part of a link farm or SEO poisoning scheme designed to drive traffic to malicious sites. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=the+astonishing+color+of+after+free
    • https://duduzigofusu.weebly.com/uploads/1/3/2/8/132815892/d7f39.pdf
    • https://givozerav.weebly.com/uploads/1/3/2/7/132710596/jetovigunax_gedaruxajun.pdf
    • https://menaminalopu.weebly.com/uploads/1/3/5/3/135318725/puvesiburud.pdf
    • https://buzolemego.weebly.com/uploads/1/3/5/3/135393469/2dda11db9456.pdf
    • https://xinufagepowe.weebly.com/uploads/1/3/4/4/134437511/luduxozaz_pufezaneke_vuvoxowitisa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/b59bcd12-ea1d-4925-a99e-96f59cb7e50f/what_are_fha_seasoning_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/7a632616-9aca-44f1-a4f6-87275d33718f/23101916863.pdf
    • http://xibosini.pbworks.com/f/migexiwekekibasag.pdf
    • https://uploads.strikinglycdn.com/files/6ce15dc1-50b8-4883-b7a1-94304e8b3512/igcse_physics_revision_guide_answers.pdf
    • https://uploads.strikinglycdn.com/files/64b6336a-25d7-4f40-bb1d-bdf2ee4606f6/wegoxaj.pdf
    • https://uploads.strikinglycdn.com/files/9e7b9664-30fc-4b02-97a4-55ad81571247/tuxapisidibabiz.pdf
    • http://zuvuzut.pbworks.com/w/file/fetch/144549792/haier_split_ac_remote_control_manual.pdf
    • https://uploads.strikinglycdn.com/files/5dddfb86-5792-45e7-aa30-36690c8dd02a/sony_handycam_hdr-cx240e_manual.pdf
    • https://uploads.strikinglycdn.com/files/93740214-7c71-48b9-bd9a-bc057fb052f7/wekotatuvuzanuwode.pdf
    • https://uploads.strikinglycdn.com/files/e8b12366-e0eb-4b98-a9b5-98496f629dbf/java_runtime_environment_1.7.0_download_64_bit.pdf
    • http://mefijunov.pbworks.com/w/file/fetch/144425709/gujuraxekekubapamekinekeb.pdf
    • https://uploads.strikinglycdn.com/files/a9da8964-ff1d-4bf6-9a9d-6310c7a1b05a/78341578165.pdf
    • https://uploads.strikinglycdn.com/files/72b91546-20af-4361-bafa-30f96d21e797/bukudamanokemomemi.pdf
    • https://uploads.strikinglycdn.com/files/4f032c71-722a-4103-9135-8646773362c8/garmin_nuvi_3597lmthd_gps.pdf
    • http://figuduvimeti.pbworks.com/w/file/fetch/144511389/o_maa_tu_kitni_achhi_hai_mp3_song.pdf
    • http://xovakovawup.pbworks.com/f/42886209231.pdf
    • http://kokoxudalux.pbworks.com/f/84722454012.pdf
    • http://molosafokaji.pbworks.com/f/how_to_play_aramusha_for_honor.pdf
    • http://lekuzax.pbworks.com/w/file/fetch/144412410/81883983322.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f314.bin
852c0c7f5d0c8b5b58c34198b7e1f8a2105e659a7a693bddf19952d837b18842		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF314 4880 bytes
font_01_sfnt_off0001039d.bin
80b8c5b4d95f856d0af9ce21d8f19470ff5c1f5c4398e6845f67d9aa780b8e61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1039D 11052 bytes
font_02_sfnt_off000128f9.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128F9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.