Malicious PDF — malware analysis report

Static analysis result for SHA-256 d39d09f67b81943a…

MALICIOUS

PDF

78.1 KB Created: 2021-06-07 23:10:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ebb4b343a22756c8cb817200c216dd1 SHA-1: 04ac03a0a14d435ee27136c4963bae6ffa7875f9 SHA-256: d39d09f67b81943aeb19c4f6f7c9b298ee19a3041d3baf5cdad53cf21bde5387
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent link suggesting a lure for '3d car model free download solidworks'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm or redirection mechanism. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded URLs and the overall structure point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=3d+car+model+free+download+solidworks
    • https://didosetugub.weebly.com/uploads/1/3/1/6/131606008/gofigi_polepofepef_ruvokavowaxe_rubelexipa.pdf
    • https://cdn-cms.f-static.net/uploads/4369149/normal_604ced9178f37.pdf
    • https://static.s123-cdn-static.com/uploads/4407301/normal_5fc68e6107760.pdf
    • https://cdn-cms.f-static.net/uploads/4475852/normal_603154f056998.pdf
    • https://lamekibig.weebly.com/uploads/1/3/4/6/134652122/459315.pdf
    • https://cdn-cms.f-static.net/uploads/4457006/normal_6039a57a1fc16.pdf
    • https://cdn-cms.f-static.net/uploads/4403823/normal_6025b8673cf1c.pdf
    • https://static.s123-cdn-static.com/uploads/4366661/normal_5fde616179900.pdf
    • https://cdn-cms.f-static.net/uploads/4374986/normal_600f9d8f566f2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/02a01320-e7b5-477a-a8de-4cb56f0a9452/vusevalojev.pdf
    • https://uploads.strikinglycdn.com/files/063d682f-1522-424e-b30e-fc4be22872a5/riregipidodefenunakak.pdf
    • http://nanefumipopo.pbworks.com/f/munna_bhai_mbbs_movie_mp4moviez.pdf
    • https://uploads.strikinglycdn.com/files/535a39b3-1351-4b82-9f48-190d1f637c0c/hannah_arendt_the_origins_of_totalitarianism_amazon.pdf
    • http://pebegijopolo.pbworks.com/w/file/fetch/144544827/dimensional_analysis_nursing_problems_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/be54287d-68ec-40a3-8d71-852b2c328d15/what_is_the_cookie_clicker_cheat.pdf
    • http://risodige.pbworks.com/f/is_varicocele_treated_without_surgery.pdf
    • https://uploads.strikinglycdn.com/files/51b559c9-b764-46df-8f8f-a9661ec3db2f/keurig_vue_pod_holder.pdf
    • https://uploads.strikinglycdn.com/files/3ea2844d-ccb7-4903-860b-8681dc3a857b/tracfone_lg_premier_pro_4g_lte_prepaid_smartphone.pdf
    • https://uploads.strikinglycdn.com/files/6bc2ed95-bd44-4213-bb2b-b10a4d9e04ad/89074702597.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f48d.bin
36aa3592a962ef942c1915b53d609aa197e5a51175f3889d84cfa7e04bef8f26		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF48D 5392 bytes
font_01_sfnt_off000106e1.bin
e9f645153f69fe9dde2e1c9250cbef153aa2bb3d5fa8f144cd320d66fd696ccb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106E1 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.