Malicious PDF — malware analysis report

Static analysis result for SHA-256 d143419d97f56df6…

MALICIOUS

PDF

81.4 KB Created: 2021-05-27 15:58:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 665e08a1fc1c46d4ad0904a066d8604d SHA-1: b130e64837699d6c4ed69ad3778494ea86d0d3c8 SHA-256: d143419d97f56df6662abf272abe680c5b00d9b8cc2319da8d07d2baf8ce62d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, flagged as a link farm, with one prominent URL leading to a domain associated with phishing. ClamAV detection and ML classification strongly indicate malicious intent, specifically identified as a phishing trojan. The document body, though heavily obfuscated, contains keywords related to HMRC authorization, suggesting a pretext for the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=authorise+someone+to+act+on+my+behalf+hmrc
    • https://static.s123-cdn-static.com/uploads/4376379/normal_5fe2cc6cf251f.pdf
    • https://butabefuje.weebly.com/uploads/1/3/1/4/131437434/c48c21523.pdf
    • https://nuwoveforu.weebly.com/uploads/1/3/4/0/134099073/5e23299f9892a1.pdf
    • https://static.s123-cdn-static.com/uploads/4383444/normal_5fc85b4db9411.pdf
    • https://static.s123-cdn-static.com/uploads/4462046/normal_5feaffeb0abef.pdf
    • https://static.s123-cdn-static.com/uploads/4389084/normal_600977adae3f3.pdf
    • https://cdn-cms.f-static.net/uploads/4379837/normal_6041902a2abb4.pdf
    • https://static.s123-cdn-static.com/uploads/4462980/normal_5feb80eeb4ece.pdf
    • https://static.s123-cdn-static.com/uploads/4501963/normal_5fe25b296d732.pdf
    • https://cdn-cms.f-static.net/uploads/4381085/normal_60217e265c091.pdf
    • https://cdn-cms.f-static.net/uploads/4444882/normal_601471eab4701.pdf
    • https://jipaxebuperiw.weebly.com/uploads/1/3/4/7/134751602/632433.pdf
    • https://cdn-cms.f-static.net/uploads/4403407/normal_606c914f126f9.pdf
    • https://cdn-cms.f-static.net/uploads/4453740/normal_606a6fd4bb718.pdf
    • https://cdn-cms.f-static.net/uploads/4479460/normal_601baeb64078b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/57e94463-3031-4181-bda7-dd77364bf684/how_to_fix_hp_officejet_6700_premium.pdf
    • https://uploads.strikinglycdn.com/files/ebf7be8e-cd4a-43a7-8fa1-1a59390e6f29/arms_reach_co_sleeper_3_in_1_mini.pdf
    • https://uploads.strikinglycdn.com/files/c67b12eb-afb1-453f-a617-cd27a626090b/nigajanesotofetejexowif.pdf
    • https://uploads.strikinglycdn.com/files/025e8df5-79e8-4670-b113-47c436be5f73/stochastic_calculus_for_finance_ii_continuous-time_models.pdf
    • https://uploads.strikinglycdn.com/files/2f2b5cf1-631f-4993-8f56-a3f242186325/zujugekedise.pdf
    • https://uploads.strikinglycdn.com/files/06798db8-acfa-4f94-85db-7c476380786f/37061529574.pdf
    • https://uploads.strikinglycdn.com/files/9ec8e398-7f7e-4925-afc3-f8e17ad0b225/74705657779.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010230.bin
2de6fe02b452888d8daee0c90bb1cc1b4b0a5808a28d898e9ee98662f639d191		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10230 5352 bytes
font_01_sfnt_off0001143f.bin
7942b5e65e3106d2940307dbb45222d4272efaf9321bc91fdc007af822b333c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1143F 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.