Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1132829040edaa3…

MALICIOUS

PDF

79.5 KB Created: 2021-03-23 19:29:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 765b7f55a0c098360ca5186ac29a2ba8 SHA-1: b01a1be5509b09a31f430e19e9ce0a76dcc59864 SHA-256: e1132829040edaa3f6b58d04e0f60914c4b4d43888e90040a42fafc270628974
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, with a critical heuristic identifying a link farm designed to redirect users. One of the primary URLs, 'https://pelibifir.ru/award?keyword=partnership+deed+sample+pdf+kenya', suggests a lure related to legal documents to entice clicks. Although no scripts were explicitly extracted, the PDF structure and the presence of external links are indicative of a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=partnership+deed+sample+pdf+kenya
    • http://bufo.online/i_didn_t_know_song_phishgm261.pdf
    • https://cdn.sqhk.co/kasavakujosi/1XhhjkP/nba_live_stream_ipad_free.pdf
    • http://huseyincanx.com/xifatonotifu2t1yy.pdf
    • https://xemamipu.weebly.com/uploads/1/3/0/8/130813095/6c8f995402fec.pdf
    • http://sigevomub.22web.org/walking_dead_comic_vol_10.pdf
    • http://shoop-fg.ru/what_is_the_best_mini_fridgen9qyh.pdf
    • https://fimetopim.weebly.com/uploads/1/3/4/3/134399480/7633397.pdf
    • http://copyrightprivacy.site/89062065924gvy5b.pdf
    • https://cdn.sqhk.co/navotezive/jb7ig32/97150442018.pdf
    • https://cdn.sqhk.co/wazikunal/jaggghH/wecom_inc_nj.pdf
    • http://rozefuzapotor.iblogger.org/pojenosidumibewaj.pdf
    • https://cdn.sqhk.co/remezebona/hhipFhj/rounded_corner_rectangle_indesign.pdf
    • http://dronextactical.xyz/jogawudepugejejukadx5z8.pdf
    • https://cdn.sqhk.co/pasojixaju/ihbiguq/car_toons_magazine_subscription.pdf
    • https://zesalogerevuj.weebly.com/uploads/1/3/4/6/134684883/8257403.pdf
    • https://cdn.sqhk.co/rolidazi/r2w5je0/xugobol.pdf
    • http://fujixizo.22web.org/28617984091.pdf
    • https://zukutalemuz.weebly.com/uploads/1/3/4/5/134582669/9fe29.pdf
    • https://cdn.sqhk.co/wenegifuteg/ggK09gj/cost_of_online_piano_lessons_uk.pdf
    • https://cdn.sqhk.co/purawewus/dhcif5E/38478198432.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/113a8c5b-ae06-42d0-9c26-a88c4a23fd7c/kilif.pdf
    • http://pisisome.rf.gd/bozovirifuvebejunameva.pdf
    • https://uploads.strikinglycdn.com/files/f02c234e-3b33-426a-a43b-d4a54ecdc279/how_to_oven_dehydrate_peas.pdf
    • https://uploads.strikinglycdn.com/files/f7f83859-e40a-495a-aced-549208961893/wojitakazeruvuzu.pdf
    • https://uploads.strikinglycdn.com/files/d1a323fb-d271-453b-9a3a-ea2a0918366e/why_is_my_jbl_not_turning_on.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f668.bin
ee6b001473ee69fc16b927f8bc2031e7565a7d872974b79fbd38cc44193b942f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF668 5448 bytes
font_01_sfnt_off000108d1.bin
bd6babc74320caf110c0b26f767f9e6106f8a12d02a2af2937c0ee33b5200d31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108D1 11104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.