Malicious PDF — malware analysis report

Static analysis result for SHA-256 d33e257b94572e0b…

MALICIOUS

PDF

78.3 KB Created: 2021-04-02 13:51:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60e20046f61b83a52f0541570d1d86dd SHA-1: f10796f0a89e2485e4b94273cc900530748d9560 SHA-256: d33e257b94572e0be84753747233c08a0ec245c15b26f62890b34dfd5bc602a2
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users. The primary URL, 'https://jumiwimov.ru/strik?utm_term=starbucks+menu+calories+canada', is likely part of a phishing or malware distribution scheme, disguised as a search result.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=starbucks+menu+calories+canada
    • https://static.s123-cdn-static.com/uploads/4460460/normal_5fc8face017e1.pdf
    • http://gmetry.online/1953663664456qc1.pdf
    • http://lngcliente.com/how_often_to_change_transmission_fluid_honda_fity6y0i.pdf
    • https://cdn-cms.f-static.net/uploads/4366949/normal_5fd2eafd49ce1.pdf
    • http://soldonlittleton.com/in_his_1963_letter_from_birmingham_jail_martin_luther_king_jrkvkzx.pdf
    • https://cdn.sqhk.co/dofubetu/gcijjiY/marine_corps_scout_sniper_course_cover_and_concealment.pdf
    • https://cdn.sqhk.co/nazopekujavi/i1oibib/learn_drawing_for_beginners.pdf
    • http://dvertsoff.ru/brother_hl_5370dw_printer_paper_jamwtu0x.pdf
    • http://biribekagupelu.66ghz.com/federated_kaufmann_large_cap_fund_fact_sheet.pdf
    • https://cdn.sqhk.co/momajuxu/bjgjcV0/48484604144.pdf
    • http://obmenkalnr.online/bella_figura_book1azsy.pdf
    • https://cdn-cms.f-static.net/uploads/4393641/normal_601ac5ba3097f.pdf
    • https://cdn-cms.f-static.net/uploads/4387701/normal_5fd82473c4e60.pdf
    • https://cdn-cms.f-static.net/uploads/4476273/normal_6060f7c6c196a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4b3b4da4-1145-40fd-8a04-0ac29766dab0.filesusr.com/ugd/6c6203_939ceab687054c4ea4d360bd6894020f.pdf?index=true
    • https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_c524cdbb7f204e928fcebdb5b0bd34ae.pdf?index=true
    • https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_504a53356c7e45f1a2fbc497fc4643cd.pdf?index=true
    • https://19aaccd0-9772-41b6-85c4-be118606641a.filesusr.com/ugd/a12125_20f16211505b4251861506222e9ffb01.pdf?index=true
    • https://ec08fec6-e576-400d-8504-372613838d3c.filesusr.com/ugd/57e0ce_85f3ea9d50844a258dc61a069011c38e.pdf?index=true
    • http://miripiwamaza.epizy.com/wuxamomivugajasiludetun.pdf
    • https://6cb1c90e-07cf-4522-b85d-4edd8abc33c8.filesusr.com/ugd/0c41e7_24e4fb54f5e14524b0d20e9b7300dfea.pdf?index=true
    • https://ecfc1f44-6648-4072-bff5-6ee4adcfbe4f.filesusr.com/ugd/e5a943_2c5b92c8afac4bb1bda8e50b19336ca4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f350.bin
5267ff0b6db88f2623501f61f5f53d2a13401d79e1ad6de2834b60aee40a19e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF350 5392 bytes
font_01_sfnt_off0001058d.bin
8dc29aca341a046f33a0d0e6cd8bd4cf27cf7dba89732b6984552bbae1da1e05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1058D 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.