Malicious PDF — malware analysis report

Static analysis result for SHA-256 e265013ee8025b9c…

MALICIOUS

PDF

78.7 KB Created: 2021-03-25 10:23:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c22d187738edfb692d98b71e0ab6251 SHA-1: db3b33d9d58d627a043df70cf2aa5212f0631927 SHA-256: e265013ee8025b9c44665256db3eedfcf2303efcbde6b941b7d8fcd8ea1bf90b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external links, suggesting a link farm or redirection to malicious content. The primary external URI points to a URL that appears to be part of a phishing lure related to fixing a TV remote, likely intended to lead the user to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=how+to+fix+a+toshiba+smart+tv+remote
    • https://kavixonew.weebly.com/uploads/1/3/4/5/134592395/mulalogo_nasulezama_sipukobebomij.pdf
    • https://sawonelezaxiso.weebly.com/uploads/1/3/4/5/134588179/petatitenanuw.pdf
    • https://nilanifek.weebly.com/uploads/1/3/4/4/134466172/supevaferiwubot.pdf
    • http://xidasetetobuge.scienceontheweb.net/tugejulas.pdf
    • http://mizifasurogik.mywebcommunity.org/tosovezod.pdf
    • https://soberonapi.weebly.com/uploads/1/3/2/6/132681790/5427474.pdf
    • http://nawitebexu.medianewsonline.com/77748901470.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/59979f9a-28c6-4b54-b415-fe448fe769c0/99646858378.pdf
    • http://nebojemesiwi.atwebpages.com/12936291561.pdf
    • https://uploads.strikinglycdn.com/files/cb7b0bfa-f7d6-40f0-9741-4156af33986e/sozujudixejitatenipij.pdf
    • https://8c285b57-3156-47ce-881b-df665acc117b.filesusr.com/ugd/8d46c2_936496fdb47148c9b37525503a53fcb4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/732dbd93-4d57-4f63-b3a3-468da01d61c4/explain_how_to_name_binary_ionic_compounds.pdf
    • https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_ea535ca2089b480c8dcd26a9f65e25ad.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0edb8702-721a-4754-9074-4dd6875de27d/japji_sahib_in_english.pdf
    • https://091a8774-b5bd-4fb7-8799-8d1ca0ca44ad.filesusr.com/ugd/8716ab_18f4b2085fbf4b4496e24a01abe2ddf2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9d83175e-1360-428e-a7d6-a64e2520e1fb/huckleberry_finn_sparknotes_chapter_20.pdf
    • https://b24182fa-1fee-416c-9f57-41d8a36573e1.filesusr.com/ugd/1cc367_8e18bb3fa2f44751ac12df1e458178e5.pdf?index=true
    • https://24a70dd4-b549-4b9e-9c0a-6eea45ab85ad.filesusr.com/ugd/ab0c63_d1710a67e8194dd9b6f4956a562b2c8d.pdf?index=true
    • https://feedbc21-cb93-402c-9ae2-3476589645d2.filesusr.com/ugd/f3ecbe_6f7b30a8b675469084a93b2aa90fcf7c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f776.bin
9f293794a584cc9d76ff7ce41e9734e3ca191523b77dfe68fbd54c8b60aff65d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF776 5296 bytes
font_01_sfnt_off00010968.bin
2cb7a49ac7d931207a399673c0cbfde1df85c6ae91c9bff54018ef86bde83dec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10968 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.