Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1418087ae0ac3f7…

MALICIOUS

PDF

144.4 KB Created: 2021-04-06 02:46:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41e3767237b5ac26577349956408d1a9 SHA-1: d099af4a0cb472ae8f813d919e99ae21e0a3984e SHA-256: d1418087ae0ac3f7cb207d87acde2fd11161ace40f4cccaf8d00ef92d7b5e3ce
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, indicative of a link farm or phishing attempt, and is flagged by ClamAV as a phishing trojan. The document body, though heavily corrupted, suggests a lure related to 'Verizon jetpack 4g lte factory reset'. The presence of embedded URLs and the overall structure strongly suggest this file is part of a phishing campaign designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=verizon+jetpack+4g+lte+factory+reset
    • https://vusekuzobogurow.weebly.com/uploads/1/3/5/3/135327372/fasuradirefeputepor.pdf
    • https://cdn.sqhk.co/niserutom/fKjenbA/tikana.pdf
    • https://tipefejiri.weebly.com/uploads/1/3/0/9/130969755/guzaraninuleko.pdf
    • https://cdn.sqhk.co/rumoligodo/ehgrQia/25384249897.pdf
    • https://cdn.sqhk.co/genopeno/jdytkI8/maplestory_dark_knight.pdf
    • https://cdn.sqhk.co/vefapatape/fhhgeMP/american_basketball_playoffs_mod.pdf
    • https://nipixosawapur.weebly.com/uploads/1/3/1/1/131164079/b9de78bc12a9.pdf
    • https://nenubijul.weebly.com/uploads/1/3/5/3/135393623/8ba5d1ca809.pdf
    • https://cdn.sqhk.co/lasetipulos/hhicgj3/bombsquad_bomber_battles.pdf
    • https://fofoxugijajeb.weebly.com/uploads/1/3/4/7/134729320/1737595.pdf
    • https://kofovozeregom.weebly.com/uploads/1/3/4/3/134313602/9903901.pdf
    • https://nixunirebexif.weebly.com/uploads/1/3/0/7/130776125/93712.pdf
    • https://dagakaxogofawi.weebly.com/uploads/1/3/4/6/134699425/d326537.pdf
    • https://jejaxome.weebly.com/uploads/1/3/4/4/134443668/gujolebomoruki.pdf
    • https://cdn.sqhk.co/begesiki/iaoCihG/adaobi_by_mavins.pdf
    • https://cdn.sqhk.co/dulinifijal/gf06Xjd/81472948890.pdf
    • https://xomowozijirogap.weebly.com/uploads/1/3/4/6/134667332/09c8e8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://26aaa629-0581-4e25-ae32-a194504e59ab.filesusr.com/ugd/2d4e87_771ec480883a411cbb49de5b7194c2df.pdf?index=true
    • https://e055bcc9-c4f1-4c6c-8dcb-0912bf54750f.filesusr.com/ugd/b4a829_0c38a640d5cc4f14a4923c76e9c207b0.pdf?index=true
    • https://9a1eab6f-da2d-4a41-99bb-18a59f11b130.filesusr.com/ugd/c2b690_7cd8b422f2d549168be20f422d3b7ecc.pdf?index=true
    • https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_50b3e0a2fbfb4199804c8251a7a7620d.pdf?index=true
    • https://e26976e3-f089-44cc-a2a6-54bcc6cae308.filesusr.com/ugd/0df15e_64e1fce22c7b4e29a71cb2611c128048.pdf?index=true
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_8b4aa0d3ec9e4f38ad3d32a4e1f04494.pdf?index=true
    • https://09972071-4174-499b-90b1-de3619f59f53.filesusr.com/ugd/d1c05f_7c6c4b3e947241dc8772e793d0305796.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001da67.bin
fc31e9518aee214d2246840e908d33d97317251350a7f97a7c44f0ae06626e08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DA67 5528 bytes
font_01_sfnt_off0001ed65.bin
51ebeec29509b87aa858d500e37ac8853184703d07d1f913ce36d8e1dc7764c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ED65 1800 bytes
font_02_sfnt_off0001f5f3.bin
c42488561525a68f71d0e6a7d31f616b323fdb62775a0691e2b12b46178b383c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F5F3 11448 bytes
font_03_sfnt_off00021d0c.bin
c3d0ee408bee49a88931d2ac630a9fb52e88a46fabab5a72aa19e78bbe1d3826		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21D0C 16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.