Malicious PDF — malware analysis report

Static analysis result for SHA-256 cebbd02ce8cfc91f…

MALICIOUS

PDF

77.6 KB Created: 2021-03-15 12:36:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dc59858715907e1b12663b0391944ec SHA-1: a71c20b5bdb853e89cfb6525990ffafc8afd9d2b SHA-256: cebbd02ce8cfc91f7f0eb4fc689afd22b0dfdbf4e1be615d2ea32ea2e4dc43e5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, with one prominent link pointing to 'xajibur.ru', suggesting a phishing or malware distribution attempt. The presence of embedded PDF link farms further supports this, as it's a common tactic for SEO poisoning and traffic redirection. No scripts were extracted, but the overall structure and URL targets are indicative of a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=magistrate%2527+s+report+and+recommendation+child+support
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pafiganovavi/2018_colorado_elk_report.pdf
    • https://uploads.strikinglycdn.com/files/09a9493f-4822-47ab-9b67-4de96a6893ee/fedumejofekukiwanilodem.pdf
    • https://s3.amazonaws.com/biwubeleba/fnma_guidelines_on_student_loan_payments.pdf
    • https://uploads.strikinglycdn.com/files/0011f7a6-dcbc-496c-a1c4-c9a9002ba485/vomezoru.pdf
    • https://uploads.strikinglycdn.com/files/96c310d5-f23e-4bfd-9a24-6e1400490d42/how_do_i_know_if_my_processor_is_compatible_with_my_motherboard.pdf
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_b22f965951be456aaa47cc22275083e8.pdf?index=true
    • https://s3.amazonaws.com/lodazojamuva/63560547790.pdf
    • https://s3.amazonaws.com/pajeriramal/79026822855.pdf
    • https://uploads.strikinglycdn.com/files/22735332-5993-4706-a16d-4631afbbc92f/italian_phrases_for_travelers.pdf
    • https://95e354e6-8561-4e52-807b-deb85f3b5fdd.filesusr.com/ugd/ca9b0a_0770d7626c774e1c81af8ff727115a5c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b50d602f-a573-49f6-917d-4662feb38922/9176493403.pdf
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_151f1b6edbb44acb90359bd3d09e72b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d05a45ce-cd61-42a1-8f45-5bd30e0f8dd2/relative_pronoun_quiz_with_answers.pdf
    • https://s3.amazonaws.com/dukexajuj/pufamiboso.pdf
    • https://5c2df1de-05ea-4e17-9aa3-38adc7ce3153.filesusr.com/ugd/ddd609_00544792d2f3414fade92e764299c572.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a39219d6-5333-4cf9-b178-dca21e2e760e/how_to_add_a_picture_on_top_of_another_picture_in_photoshop.pdf
    • https://uploads.strikinglycdn.com/files/f95b7254-9be3-43ec-949e-90ecc7c282cb/xemijudikosi.pdf
    • https://uploads.strikinglycdn.com/files/ba7b5085-d36c-416c-bdfe-520dc31036db/sandisk_clip_sport_plus_16gb_black_review.pdf
    • https://7e70056c-c2aa-4e53-98c5-50750123c107.filesusr.com/ugd/f8ae5d_f65d661e12da41e39eaece1c057fdab9.pdf?index=true
    • https://80f75f89-a1e3-4611-a0ef-7a704eb82da9.filesusr.com/ugd/0286dd_17fce3060f854a04bf7c0efc8bed64ef.pdf?index=true
    • https://uploads.strikinglycdn.com/files/09e61770-02a8-449c-a918-16d5fe162f05/how_do_i_get_cash_off_my_child_support_card.pdf
    • https://uploads.strikinglycdn.com/files/155ad552-c8fd-4edd-9f29-acbac4bbc760/deverowowusazaso.pdf
    • https://c7fb3737-a2fb-4e06-b71d-f78b648bb0a4.filesusr.com/ugd/a9248e_5abe49562510450d849b82477058b272.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0372b1dc-cb52-4296-842a-97bbee5e30ff/who_is_on_the_latest_cover_of_sports_illustrated.pdf
    • https://3c3713de-992c-4571-92b4-00afcb8cb2c1.filesusr.com/ugd/9dbdb2_40bd6aebbfe349088e6a13f5997959c8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1d6.bin
cb661def1c4f87a5aff36c6e322757c587bb4fde2f8d879aadc65e635f5e19a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1D6 5524 bytes
font_01_sfnt_off0001048d.bin
aec82cdff62e26cdad6f5865a378e5ee5a2a446c766f3cc7a5855a98996a2e43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1048D 10528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.