Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2c1278ed7d91f87…

MALICIOUS

PDF

71.5 KB Created: 2021-03-20 16:04:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a74d2334765badd606fb97e72eba71a SHA-1: 7f296838ed386e398b2a7f27bc9d8eda6a159fe9 SHA-256: e2c1278ed7d91f87e9610abb4cbb4697aee76ec9e2aefc5a20ae1786fa8efb54
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

This PDF file is identified as malicious by ML classifiers and ClamAV, exhibiting characteristics of a phishing and link farm attack. It contains numerous external links, including one pointing to 'https://mezovuduw.ru/wix?keyword=whirlpool+gold+series+dishwasher+user+manual', suggesting a lure to download further malicious content disguised as manuals. The presence of a link farm heuristic indicates an attempt to manipulate search engine results to distribute these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=whirlpool+gold+series+dishwasher+user+manual
    • http://towesijep.iblogger.org/manual_para_guitarra_clasica.pdf
    • https://telanadiv.weebly.com/uploads/1/3/4/4/134495792/sesot.pdf
    • http://muzumekowasisig.iblogger.org/xilokazule.pdf
    • https://nikatomorufaxeg.weebly.com/uploads/1/3/1/4/131437252/firepatularuwu-jejijivobajosaj.pdf
    • https://kebopudej.weebly.com/uploads/1/3/5/2/135298692/bapetap-lexavuro-mupawarigipo-bejepuvudi.pdf
    • https://jakugogafezokev.weebly.com/uploads/1/3/1/4/131437362/virezazevikiga-pisabegub.pdf
    • http://hookup754.fun/killing_floor_2_ps4_update_1.490f4hr.pdf
    • http://bogavevi.22web.org/flower_powerpoint_template_free.pdf
    • http://xuxazawuti.22web.org/android_9._1_huawei_p_smart_2019.pdf
    • http://shtampshop.ru/23961597173dz0wj.pdf
    • https://wobelafesuta.weebly.com/uploads/1/3/4/7/134767333/9dc6d.pdf
    • https://kurepisafigovu.weebly.com/uploads/1/3/1/3/131398088/webufizemagiz_velevemibutug_zupasogolet.pdf
    • http://dosemamorozaj.22web.org/sfn_poster_guidelines_2019.pdf
    • https://gopaposoxawa.weebly.com/uploads/1/3/0/7/130740193/443df.pdf
    • https://xabejopoturidu.weebly.com/uploads/1/3/4/3/134352457/nujatur.pdf
    • https://vuginavoji.weebly.com/uploads/1/3/0/7/130775358/2337767.pdf
    • https://sifobidegi.weebly.com/uploads/1/3/0/8/130874382/7008682.pdf
    • http://dabipijejunale.22web.org/diario_de_motocicleta_libro.pdf
    • http://efarbok.xyz/ice_cream_machine_price_amazonkchoy.pdf
    • http://idealicaitalia-official.site/best_dish_receiver_in_pakistan_20204rx0s.pdf
    • http://xidotamasaw.22web.org/zabixodaj.pdf
    • https://gagakulusete.weebly.com/uploads/1/3/5/3/135326625/beleraboxaju.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sotidunuzijifu.epizy.com/yoga_poses_for_back_pain_video.pdf
    • http://bexudigibop.rf.gd/dunelm_deep_sided_fitted_sheets.pdf
    • http://povalimokuwov.rf.gd/jajaboximex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db08.bin
8bff34e9bdc71271f1726bf26d89e6bdb4840b12915decf1c5c2529c3314d1e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB08 5480 bytes
font_01_sfnt_off0000ed96.bin
3ad2274d01800cf430895ba846c25d5576ca86cf3ea398348bc8c9b3bff4bab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED96 10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.