Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1678b8c1ec11fc9…

MALICIOUS

PDF

86.9 KB Created: 2021-06-02 11:41:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dfac991b4dc4914798b3409d47f48380 SHA-1: d14954424fe6a1f7decd039128b6f49658aa1025 SHA-256: e1678b8c1ec11fc9d7b7e9cd863ac261fb7ab19d814be5fdf0c990156be01af4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, directing users to various websites. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. The embedded URLs suggest a campaign to redirect users to potentially malicious content or download further stages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=que+es+un+bosquejo+biblico+y+como+se+prepara
    • https://tedaliduvif.weebly.com/uploads/1/3/5/9/135957254/2897849.pdf
    • https://cdn-cms.f-static.net/uploads/4464541/normal_60228812c0a04.pdf
    • https://cdn-cms.f-static.net/uploads/4387817/normal_603f68cb9783c.pdf
    • https://repemigikaji.weebly.com/uploads/1/3/4/6/134608024/legemamawona.pdf
    • https://static.s123-cdn-static.com/uploads/4408713/normal_5fcbc9a04bf16.pdf
    • https://cdn-cms.f-static.net/uploads/4408984/normal_5fdadecab2ec7.pdf
    • https://cdn-cms.f-static.net/uploads/4408863/normal_603a23273f63c.pdf
    • https://cdn-cms.f-static.net/uploads/4417534/normal_60292192aafaa.pdf
    • https://vuganolo.weebly.com/uploads/1/3/5/3/135314000/4205955.pdf
    • https://cdn-cms.f-static.net/uploads/4410199/normal_6018a5eea6b16.pdf
    • https://nisaxiguxizi.weebly.com/uploads/1/3/5/3/135306566/gipilejisusuxaj-soxubife.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fb9c7424-ea08-4417-a661-e2d1aa8c66da/sixifoxuripasarixunitemu.pdf
    • https://uploads.strikinglycdn.com/files/10a3df84-928d-41e4-8ab6-3020ca0d747d/rainsford_characteristics_in_the_most_dangerous_game.pdf
    • https://uploads.strikinglycdn.com/files/90bea727-f1c5-46eb-bc0c-bb6b725a7d08/ejercicios_de_suma_o_diferencia_de_cubos_resueltos.pdf
    • https://uploads.strikinglycdn.com/files/5cce04a6-69de-4a69-91e7-4c00974f1b18/age_of_empires_2_version_2.0_a_no_cd_crack.pdf
    • https://uploads.strikinglycdn.com/files/7d35f62e-5bdc-41f8-a316-8f3590740e5d/how_much_weight_can_i_lose_on_the_grapefruit_diet.pdf
    • https://uploads.strikinglycdn.com/files/08890e05-4e44-436e-a15b-9d97b68a1bbe/how_to_change_a_micro_sim_card_to_a_nano_sim_card.pdf
    • https://uploads.strikinglycdn.com/files/3ec2ea1e-a4e0-4dab-836c-b570e9576b4f/light_relief_reviews.pdf
    • https://uploads.strikinglycdn.com/files/788b8d0e-0166-491e-becf-d9c171c8a65e/can_i_day_trade_with_thinkorswim.pdf
    • https://uploads.strikinglycdn.com/files/5e119072-596c-40a5-91b5-54c28c980fe5/recep_ivedik_2_izle_hd.pdf
    • https://uploads.strikinglycdn.com/files/0ad031e1-ec4c-4b45-a7de-0fecc58aca43/7909202596.pdf
    • https://uploads.strikinglycdn.com/files/8bf21cce-6492-4c4d-9b66-628ca3dff96c/jekepudilavipe.pdf
    • https://uploads.strikinglycdn.com/files/42e6c8e7-326d-474b-a450-8cc0ab5936d5/fitovafuvara.pdf
    • https://uploads.strikinglycdn.com/files/f5dee278-624a-4d99-ad28-af90b47f264e/pasabo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000111d5.bin
76119b4955442de99e27c877274b50db68108e7cece489375a9eb50332d3aa1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111D5 5584 bytes
font_01_sfnt_off000124c0.bin
5eb4f2738dceaba8a05e8298e2b0ef96ad97ce689dd2aea3cab15af0173196bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124C0 11992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.