Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5cf94c4b1540464…

MALICIOUS

PDF

76.3 KB Created: 2021-04-20 01:54:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 546e6441c8140db88886118d71b3d171 SHA-1: c914c1b730f3710e45d622e0cf86fb56e80506e8 SHA-256: e5cf94c4b15404646529ef0274f72fef55e36b3e8445989afc5bcf1355b72e1d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a significant number of external links, identified as a PDF link farm. One of the primary URLs, 'https://leonvi.ru/strik?utm_term=stack+on+24+gun+safe+review', is directly referenced in the heuristics. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The presence of embedded URLs and the ML classifier's high confidence score indicate a deliberate attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=stack+on+24+gun+safe+review
    • https://rugajasaxi.weebly.com/uploads/1/3/4/0/134096424/pokegaxosuvamaze.pdf
    • https://static.s123-cdn-static.com/uploads/4366625/normal_5fdde85729370.pdf
    • https://zitudoxe.weebly.com/uploads/1/3/1/4/131437236/jagagegovusewirilu.pdf
    • https://livupojinobiz.weebly.com/uploads/1/3/1/8/131856358/vujelinidekim.pdf
    • https://bivupexas.weebly.com/uploads/1/3/1/4/131453521/b1cec4d.pdf
    • https://cdn-cms.f-static.net/uploads/4454420/normal_6009cb46aacfd.pdf
    • https://kifutojuwa.weebly.com/uploads/1/3/4/0/134017701/9317489.pdf
    • https://cdn-cms.f-static.net/uploads/4427295/normal_600a22686b4ff.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/09404e5c-04f6-4436-b722-e52db1c82f69/schumacher_battery_charger_manual_sc1307.pdf
    • https://uploads.strikinglycdn.com/files/1b9eb7d2-2b13-4e7a-ab3c-7966932931f3/what_is_lean_startup_method.pdf
    • https://uploads.strikinglycdn.com/files/8e3ad768-7088-439b-943f-95527e6c8f8d/54580112165.pdf
    • https://s3.amazonaws.com/rurosaveruk/life_cycle_of_a_flowering_plant.pdf
    • https://uploads.strikinglycdn.com/files/f7525d56-12b0-4648-bc72-915aba090ded/barn_burning_faulkner_themes.pdf
    • https://uploads.strikinglycdn.com/files/fd9ea6cb-eb9d-47be-92b6-e3a57561b8aa/graphtec_cutting_plotter_ce6000-60_price_in_bangalore.pdf
    • https://uploads.strikinglycdn.com/files/b09e00e3-0985-45c0-8c02-a354d3324e14/how_do_i_fix_the_sound_delay_on_my_samsung_tv.pdf
    • https://s3.amazonaws.com/wovisak/36996051234.pdf
    • https://uploads.strikinglycdn.com/files/09aa8eff-1b6f-4207-8507-afe81c798ee7/rinnai_certified_technician_near_me.pdf
    • https://uploads.strikinglycdn.com/files/6b80336a-2852-4a2d-944d-e9db91eec26f/zoom_g1xon_review.pdf
    • https://s3.amazonaws.com/kotodur/20704635954.pdf
    • https://uploads.strikinglycdn.com/files/92da0def-fabf-4f3e-a559-62c739147dbf/tifizabetorosuku.pdf
    • https://s3.amazonaws.com/zulezov/75893702686.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecab.bin
e713495c67539061aa77c33779c83f06a66af2c728e8c675c087b0b5149d36d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECAB 5556 bytes
font_01_sfnt_off0000ffd1.bin
fecda9530bb34bde342d1166ac6eb4253146d8662a4f7ca298ee0bf3f82aaf9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFD1 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.