Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0d60654e65b8e5d…

MALICIOUS

PDF

76.1 KB Created: 2021-04-03 23:23:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1d48cc70d7710460e1a0c6d6f1fd6979 SHA-1: 79e1f84cf88b9cdbb5ed2960b4bedeb38a487203 SHA-256: d0d60654e65b8e5df94183f729558cc1b8f29235144def5b0aaf20235c6cbc74
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to potentially malicious domains, suggesting a link farm or phishing attempt. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, and ClamAV detected it as 'Pdf.Phishing.Trojan'. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create documents for web-based lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=types+of+animals+worksheet+pdf
    • http://babusokojanog.sportsontheweb.net/zuvison.pdf
    • http://wiboratiraveguw.mygamesonline.org/edgar_allan_poe_poemas_e_ensaios.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_ae51da8c4b7c468bbf2cb1292a35c649.pdf?index=true
    • https://s3.amazonaws.com/devuxuzejozam/27400402225.pdf
    • http://xedavabawavela.onlinewebshop.net/numosagavezavutaraz.pdf
    • https://s3.amazonaws.com/kagedatabujo/canadian_anti_fraud_reporting.pdf
    • http://kubomefewofumim.atwebpages.com/butelegegima.pdf
    • https://488c2ff9-9ff4-499e-8f11-525115e20b22.filesusr.com/ugd/8aba0c_42cd68dd9a7c4fd8bd38c4d3d059232c.pdf?index=true
    • https://e1bd05e7-a2ed-43df-b5fc-9bc8ee0b1a84.filesusr.com/ugd/08acf3_f1f5f129c60340a498b00f226f017e34.pdf?index=true
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_c187e4a764704db99d846be3a8383382.pdf?index=true
    • https://3dcfbd4a-ef33-49dc-a04a-0aaf5307c30d.filesusr.com/ugd/b47706_deaa8f7032a54b8a996f36014872bfc4.pdf?index=true
    • https://6d4a8fb0-9a8a-4850-8aa1-2b5706121c9a.filesusr.com/ugd/ff2e72_c5fe5c4dc3b44eca906791f0ea05a8a7.pdf?index=true
    • http://kufekisawisewo.onlinewebshop.net/lawezelawuvupelogex.pdf
    • https://s3.amazonaws.com/xijalovelokolep/rca_tablet_reset_google_account.pdf
    • https://s3.amazonaws.com/kopisigapub/verbs_in_spanish_worksheet.pdf
    • https://s3.amazonaws.com/napoledunadigo/ethyl_alcohol_has_higher_boiling_point_than_dimethyl_ether.pdf
    • https://s3.amazonaws.com/jidosatikim/52089857240.pdf
    • https://00407fa8-a9ef-4b78-9bbe-46147fc8acf6.filesusr.com/ugd/5ecadc_1ed688dee36547d985703de95afaab9e.pdf?index=true
    • https://def05634-b969-4265-beeb-1e7d695e9a44.filesusr.com/ugd/6865ce_c1c8eab341cd4b94bd30d5d48afe7350.pdf?index=true
    • https://s3.amazonaws.com/mefadedosuw/30222733698.pdf
    • https://203e60c5-e32a-4587-ab6d-31d66de6d5b9.filesusr.com/ugd/014c36_8cccc02759c54003a773c1b8e1d9e22c.pdf?index=true
    • https://0e8f88b9-656e-4b05-9cd8-8bd477f85547.filesusr.com/ugd/95b9ea_12c32b0f3c104395b73a622c1e7e6fa8.pdf?index=true
    • https://ef90beaa-bca2-431e-862c-49c19dd94618.filesusr.com/ugd/06497e_6430fcdd154d495a91a2e7dd0f437268.pdf?index=true
    • https://acd80754-3b70-42c6-a60f-3489f6261da4.filesusr.com/ugd/f1780b_03e2fe9218c7478fb3ec9068bd81468b.pdf?index=true
    • https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_ca42496d379d4353b64f9757679a673f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee16.bin
1b8a039472bda83602ca85dc0f5815df6402133611bd78fae368a7493c0f3ded		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE16 5488 bytes
font_01_sfnt_off000100ae.bin
9f55302a002427470fd6b381b9eb34ccdb2ce4a83bd13e2d9f95d9e7e98de29d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100AE 9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.