Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1b3a5d9121e2442…

MALICIOUS

PDF

73.1 KB Created: 2021-04-24 00:32:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 9576a3b97e855d60d4ee6600733d597c SHA-1: 167bd7bf8883d082a3d75ea42cf39810aef5b91d SHA-256: d1b3a5d9121e244248bc7b2f3842dcf442b80155196105e16d710c64a19196c0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing. The heuristic PDF_SEO_LINK_FARM indicates a large number of external links, and ClamAV detected it as Pdf.Phishing.Trojan. The presence of embedded URLs and the ML classifier output further support a malicious classification. The document body is heavily obfuscated and appears to be a lure for vinyl application instructions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=vinyl+application+instructions+printable PDF link annotation
    • https://zalozudipob.weebly.com/uploads/1/3/4/6/134673455/banosinal_jisakol_japavewu_gutif.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4487192/normal_600a034f7f25c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4416490/normal_5fc6a0b841e74.pdfIn PDF document text
    • http://serviceforyou.site/examen_final_matematicas_3_eso4xwvk.pdfIn PDF document text
    • https://doxizuzipoleri.weebly.com/uploads/1/3/5/3/135323895/6ee61d0f.pdfIn PDF document text
    • https://mekowoto.weebly.com/uploads/1/3/0/7/130738632/karizazu_kevegerobedu_tudadexe_vulibidaselen.pdfIn PDF document text
    • http://blubadgehelp.net/heads_up_concussion_test_answers3w43o.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421461/normal_604fb3a6e706d.pdfIn PDF document text
    • http://springital.fun/narexinomejatojofapopareb3ow9w.pdfIn PDF document text
    • http://edaeda.moscow/best_bottom_load_water_dispenser_2019is1lq.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4461748/normal_6069bf6100df4.pdfIn PDF document text
    • http://axecheat8.xyz/3815541359qbhxh.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b3d9a717-6f99-4a37-b5a9-f66f0d63afe5/42574758171.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1276d95b-9b88-42ee-87ec-30b1bfecd44b/girl_from_ipanema_tablature_guitare.pdfIn PDF document text
    • https://s3.amazonaws.com/samopakamefap/amazon_prime_movies_mac.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91cde5c1-bad5-45a4-bed2-916e7d954e77/zufuneloledanosetebame.pdfIn PDF document text
    • https://s3.amazonaws.com/fajixe/lord_of_the_rings_two_towers_gamecube_multiplayer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/168a2cbb-f45c-4007-b1ff-c97377dade31/65262359675.pdfIn PDF document text
    • https://s3.amazonaws.com/guwutivupudutu/waloxidawazivubazekariw.pdfIn PDF document text
    • https://s3.amazonaws.com/tonemakopinibem/bogglesworldesl_movie_cloze_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5b7c77c-27a9-4dfb-a9e5-9613e5cb0d92/jazz_chord_progression_guitar_lesson.pdfIn PDF document text
    • https://s3.amazonaws.com/wurivuve/30395578896.pdfIn PDF document text
    • https://s3.amazonaws.com/kudowo/the_norton_field_guide_to_writing_with_readings_and_handbook_fourth_edition.pdfIn PDF document text
    • https://s3.amazonaws.com/kelageketisefuv/distributive_adjectives_worksheets.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e157.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE157 5136 bytes
SHA-256: f99178798073beba65833065acbf72706e615ccee0be7bef732b7f9af3e5affc
font_01_sfnt_off0000f2e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2E2 10528 bytes
SHA-256: d5396db49e5364563b7f984060101f8830e710541de07b4f9fda4a76510f32d4

Open this report in the interactive analyzer, or submit your own file for analysis.