Malicious PDF — malware analysis report

Static analysis result for SHA-256 d03e98ed189a6e84…

MALICIOUS

PDF

72.7 KB Created: 2021-04-02 21:08:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8321abf3da4ae6c231c7984c3384a59 SHA-1: 72fa9f1fa56bfbfab79a9c36765f6bbe43f66995 SHA-256: d03e98ed189a6e84c524657b8d32a0997f0466857f1c1417915387b66d061b75
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, flagged as a 'PDF_SEO_LINK_FARM', suggesting a phishing or SEO spam campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and numerous external links point towards a malicious document, likely delivered via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9959

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=kalender+2020+20+pdf
    • http://nigamenivikuki.iblogger.org/go_your_own_way_piano_sheet_music.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e50eee24-2d95-422d-8083-6f618d95927b.filesusr.com/ugd/594ae5_81b69b75574a41cfa2c73b17f3b196d2.pdf?index=true
    • https://s3.amazonaws.com/kelukakeb/13252185834.pdf
    • http://woxowezev.rf.gd/letter_copying_sheets.pdf
    • https://uploads.strikinglycdn.com/files/975ce01d-2de9-4501-b350-7f5c9d3429a3/dirt_devil_power_max_pet_upright_vacuum_ud70167p_belt.pdf
    • https://16fd3b15-5541-4454-9538-28daacbf497e.filesusr.com/ugd/e32576_0aa55dd42e4c4c1fae290869a827d0ed.pdf?index=true
    • https://s3.amazonaws.com/betefowubevat/bhakti_video_songs_mp4_hd.pdf
    • http://xigonix.rf.gd/81134487333.pdf
    • https://uploads.strikinglycdn.com/files/106263a6-12bb-4faa-a7bd-89d39d32f4ce/whats_healthy_at_pollo_loco.pdf
    • http://xivikinobuni.epizy.com/bigcommerce_cornerstone_template.pdf
    • https://eeff404e-5492-4914-a1d7-e39d1f35e6b2.filesusr.com/ugd/e58d70_727258bc0c7447b592c2cf45e385bc96.pdf?index=true
    • https://eeeff038-21f9-42a6-bde0-cd945221d618.filesusr.com/ugd/9dc459_05719740646a42feb6a8351da4233a35.pdf?index=true
    • https://620678a0-8f5b-407b-881a-8a96a128c1c4.filesusr.com/ugd/25b7a6_bdcd048c0f23470996c46a1024923320.pdf?index=true
    • http://zomefikike.rf.gd/what_are_the_physical_properties_of_seawater.pdf
    • https://uploads.strikinglycdn.com/files/2977e3ff-03a1-447f-b5b9-47613d58d567/microsoft_project_2013_64_bit_free_download_full_version.pdf
    • https://uploads.strikinglycdn.com/files/fb8e12ac-77d2-41c9-874f-4ce609d37970/wabunisujunegu.pdf
    • https://e809654a-a95b-4dbc-a338-24085255a2f8.filesusr.com/ugd/1b6cec_70fb51b68e6743be9dc447f3c8c4f92a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e62e48bc-b0a4-42c0-919a-2f7086795006/how_many_calories_are_in_a_tall_nonfat_latte_from_starbucks.pdf
    • https://uploads.strikinglycdn.com/files/abec27f6-23f5-49f3-ab38-9b60f52b3ed4/como_pensar_rapido_no_futebol.pdf
    • https://uploads.strikinglycdn.com/files/bd9d0d51-e790-4128-b824-832426eda1ab/flower_of_life_chiropractic.pdf
    • https://uploads.strikinglycdn.com/files/d90ec5e7-a292-4bce-96b4-9ef8cb75760b/2560866308.pdf
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_96e9e7559d1f48fa9d5376aff5080020.pdf?index=true
    • https://fdb0147f-387d-4908-9c93-1ccdb5bf775f.filesusr.com/ugd/aea2e0_215eff79934247ba91d932094ab2ed54.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d01359e6-895c-421f-8127-f9d12422d475/fagepilalunasizabedonepi.pdf
    • https://s3.amazonaws.com/vibuvomomuv/how_to_get_my_real_estate_license_in_michigan.pdf
    • https://8dac4d01-2cd1-45d2-8b5f-6005f802adc9.filesusr.com/ugd/1f96ce_54711d70634e4bd48f0cde6447c130b2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de4e.bin
5fa138b102f0ab6305cef0354ea8e3a08a45c2c6652d6bd338534d53dbb152eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE4E 5100 bytes
font_01_sfnt_off0000efba.bin
5ef0256bc0eb2f944e4e735196aec7f7c360c827cea34bae5604929c613cc3b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFBA 11472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.