Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7de86c13eb18262…

MALICIOUS

PDF

77.9 KB Created: 2021-06-11 01:57:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 375e91c80d52920339eba800b483cd24 SHA-1: e22276693db0c28b44fa9b2827e7233e9b1b084b SHA-256: d7de86c13eb182623831ced71a650d87c5182975ec582d4d99497c9fc32fd9bd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to redirect users to potentially harmful websites. The primary malicious URL identified is 'https://inwebjor.ru/pbw?utm_term=drama+be+with+you+sub+indo'. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV identifying it as 'Pdf.Phishing.Trojan'. No scripts were extracted, but the structure and URL distribution point towards a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/pbw?utm_term=drama+be+with+you+sub+indo
    • https://xovamiwif.weebly.com/uploads/1/3/4/0/134096018/fujuniguz.pdf
    • https://dajikapepexav.weebly.com/uploads/1/3/4/5/134597014/vajen-bavijizuzazubi-wiletopido-mekik.pdf
    • https://xenafakawipa.weebly.com/uploads/1/3/4/8/134879239/a97d2cbe2.pdf
    • https://dezilupogebog.weebly.com/uploads/1/3/4/1/134109094/wigofikekakivov_pikokekur_jimum_tokogiduzuxi.pdf
    • https://nudabixe.weebly.com/uploads/1/3/4/5/134505388/5985160.pdf
    • https://kabuvegezukab.weebly.com/uploads/1/3/5/3/135325093/aa6233f1a61.pdf
    • https://danawejenig.weebly.com/uploads/1/3/4/4/134499985/xipaxubipasumoravo.pdf
    • https://static.s123-cdn-static-d.com/uploads/4476751/normal_60b3207c26685.pdf
    • https://walidixigojal.weebly.com/uploads/1/3/4/5/134595726/xemojorokanuvetasuti.pdf
    • https://static.s123-cdn-static.com/uploads/4457561/normal_5ff264a689893.pdf
    • https://cdn-cms.f-static.net/uploads/4501233/normal_60220966dc7e1.pdf
    • https://xugimitedekilim.weebly.com/uploads/1/3/1/4/131482884/wokosire.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/533acc5d-8d62-4728-a84b-dddee15992c0/95634544007.pdf
    • https://uploads.strikinglycdn.com/files/da0c5455-22e3-4ac6-b1b4-30293d8945f2/25301336573.pdf
    • https://uploads.strikinglycdn.com/files/7fcbe00c-2274-4fa1-a5ba-e7cbf2e91396/delta_20_bandsaw_tires.pdf
    • https://uploads.strikinglycdn.com/files/df295837-342e-49b9-9ae5-b282143b2a4c/bofedigigelopovaga.pdf
    • https://uploads.strikinglycdn.com/files/516b41cb-6de1-43fa-a136-e6294166b5e1/60246122219.pdf
    • https://uploads.strikinglycdn.com/files/243f875f-2ee0-4c27-9a40-4c8f77dc6ad4/modezapixoduzazuduwegur.pdf
    • https://uploads.strikinglycdn.com/files/390b4c0d-f5cd-4799-9c2c-cbb7fa45ccde/what_is_the_storyline_of_twilight.pdf
    • https://uploads.strikinglycdn.com/files/ca65f9fc-84bf-496c-80d8-38f955dfa352/what_are_the_3_main_impacts_of_climate_change.pdf
    • https://uploads.strikinglycdn.com/files/6c2e76b7-af87-44d8-a2d7-b3c46a5c31ed/39577795230.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3bc.bin
5d8682a79beaa40bcc50c3abf597b60c18293f4c21e414d3e8850a7e9fe9002d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3BC 4548 bytes
font_01_sfnt_off0000f3a2.bin
e066a11f6439aa2b4bc441a77b4221b9ebb3a79044405884a137909348808469		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3A2 5364 bytes
font_02_sfnt_off000105c7.bin
523feb884b0d57ee1d26558c94db5f7a90e9a257c9cff42b193a083779c0054b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105C7 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.