Malicious PDF — malware analysis report

Static analysis result for SHA-256 d50101e920a43dcc…

MALICIOUS

PDF

75.9 KB Created: 2021-05-08 17:11:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a0d18eea0c4354a630587d2f924d845 SHA-1: 96a3a1337ba6f6d2cd78cba553941e7bc0df84b7 SHA-256: d50101e920a43dcc2fe3706d8b654b9b42c8cb5bc88a03b59aa5c1cf7f9471c4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including critical detections for phishing and malware by ClamAV. The presence of a large number of external links, many pointing to PDF files, suggests a link farm or redirection scheme. One of the extracted URLs, https://jacksth.ru/strik?utm_term=never+fade+away+lyrics+pt+adamczyk, is suspicious and likely leads to a malicious site. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=never+fade+away+lyrics+pt+adamczyk
    • https://cdn-cms.f-static.net/uploads/4481990/normal_6033d407c6161.pdf
    • https://static.s123-cdn-static.com/uploads/4481695/normal_5ff7803e07cca.pdf
    • https://cdn-cms.f-static.net/uploads/4460048/normal_601b3a77126fd.pdf
    • https://static.s123-cdn-static.com/uploads/4529780/normal_5fd04df5188ac.pdf
    • https://cdn-cms.f-static.net/uploads/4476146/normal_601db3b75c2b0.pdf
    • https://cdn-cms.f-static.net/uploads/4449012/normal_606e3fc558073.pdf
    • https://cdn-cms.f-static.net/uploads/4500887/normal_605f5eeb052b9.pdf
    • https://cdn-cms.f-static.net/uploads/4372682/normal_6032220c2a97d.pdf
    • https://static.s123-cdn-static.com/uploads/4413575/normal_5fec85ac05d5a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_4bc71a6924694149a113f485dd972ec7.pdf?index=true
    • https://254a6a59-343e-4b7e-907c-c4819e171fff.filesusr.com/ugd/decf6f_9b9e622261d048eb8054260ec54ab04b.pdf?index=true
    • https://9f2a6cc1-6e15-4467-beaa-57274ca996ed.filesusr.com/ugd/78f4c3_4ebd0d44b9254f3d91edc8bc23fb82ca.pdf?index=true
    • https://00407fa8-a9ef-4b78-9bbe-46147fc8acf6.filesusr.com/ugd/5ecadc_96e2197807784ffaa4663967924e20a8.pdf?index=true
    • https://387a498e-9551-4239-9507-3183ba214552.filesusr.com/ugd/cd403b_daf66f7222734f76a3b30fadade0dba0.pdf?index=true
    • https://d115d978-d96a-40c8-9764-5d959708fc35.filesusr.com/ugd/436160_0acdf96189f844cfbdd020bfe1f3f4b4.pdf?index=true
    • https://c22e5cf4-338a-4003-9cad-c1cb0be29285.filesusr.com/ugd/3db607_ee57d8878564457dbe3daff72d222169.pdf?index=true
    • https://6e678f60-abc6-404c-883a-cd1729fdffee.filesusr.com/ugd/e4291f_b9c5411d0cd14b7291872bb7f78822f8.pdf?index=true
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_0c76a199fe6248efa57c3986402d74bc.pdf?index=true
    • https://2e6726a7-2e78-456a-9fa1-8bc85c3b20a6.filesusr.com/ugd/76e31d_9ce8001926254a36888c280699988b5d.pdf?index=true
    • https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_1044b0c6ddb04b88b70779f73a59b965.pdf?index=true
    • https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_718c180776e347449450d289ed126c49.pdf?index=true
    • https://6cdf8c5e-36a0-4b6d-987f-32d3d50030cd.filesusr.com/ugd/3c2e2e_d72b537fcaf742ce8999b01be1fd9309.pdf?index=true
    • https://40e214c1-1950-44e8-a195-e2c6eeb23253.filesusr.com/ugd/a517f4_0e7602681f924cabbd9a53caa4b5631e.pdf?index=true
    • https://493f174a-a540-412c-bacb-e5b7b26cbfcf.filesusr.com/ugd/95bb70_ac2e06639131490c8abaa4df40ae46e2.pdf?index=true
    • https://bed2d873-735b-46bb-a8a3-264d0455df4e.filesusr.com/ugd/03ede2_a3507432f8a642098280dd1cf90399b2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d26a.bin
8b575a33af2f4f2ad22411a68f193bb80275bad8fc7d9be69779cbf12666ab5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD26A 5640 bytes
font_01_sfnt_off0000e5b3.bin
18f22313b3c2319659e879e41f42a7e687eb142632c10064ca94ecc31ff0a820		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5B3 11596 bytes
font_02_sfnt_off00010b64.bin
e1ecdaf5f931254822c08e14176e742ed940844fb6ecb9fcb1e73603f1784b15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B64 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.