Malicious PDF — malware analysis report

Static analysis result for SHA-256 e630c8317e52bcc1…

MALICIOUS

PDF

78.7 KB Created: 2021-03-13 23:09:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c4f7f2e5be3a002d5b069973c8cda1b SHA-1: e0c4f2fe042468c4b7e8e182f59cc14f05048cd1 SHA-256: e630c8317e52bcc12cba49807d387593a87b4db227e28ad6377b7cc58f936748
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting an attempt to drive traffic to various websites. One of the embedded URIs, 'https://pelibifir.ru/wix?keyword=monect+pc+remote+apk+vip', indicates a potential lure related to remote access software. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=monect+pc+remote+apk+vip
    • http://grigolia-studio.ru/junit_report_file_formatgn264.pdf
    • http://pelistens.xyz/angle_pair_relationships0bgk5.pdf
    • http://fenellalucynelle.info/xetefalomufad247yp.pdf
    • https://tatogupuragafa.weebly.com/uploads/1/3/4/0/134096405/d96db80daef76d4.pdf
    • https://gazekusiparisom.weebly.com/uploads/1/3/4/0/134012522/86706.pdf
    • http://lightstart.xyz/58020526653re4zu.pdf
    • https://cdn-cms.f-static.net/uploads/4461216/normal_603975273870d.pdf
    • http://scotiaenlineape-personas.com/zuludopebewadejaxa0bvdw.pdf
    • http://bluebadgeform.com/antisocial_2_full_movie_2015ggc8k.pdf
    • http://cozyplacefor.rest/homonyms_worksheets_2nd_gradeeayok.pdf
    • https://sakuvajavabese.weebly.com/uploads/1/3/1/3/131383602/5ef96e06a.pdf
    • https://cdn-cms.f-static.net/uploads/4474720/normal_601d358c23ec9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f8e35a47-26df-402e-b3e1-1d58cd33f303/3681649721.pdf
    • https://08b4a39d-fa16-4eaa-91be-ae90003cacb9.filesusr.com/ugd/237bf7_5531258c5974449b91ffd3e674c4dbe3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3c87e8ac-e7a2-4736-8e1d-3bda59a1a345/visual_studio_2010_express_edition_free_download_offline_installation.pdf
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_50f32b2eb50c402fa68a8643ca353ad6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2ed78eae-74a0-4c92-a63f-2ee17728b4a1/84077137920.pdf
    • https://f6142301-0c02-44dd-b2c5-62cf9b3cd0dc.filesusr.com/ugd/ebfdba_6f2a48183a9c46fa8b9f84503cdff175.pdf?index=true
    • https://cc652f91-b1ab-470c-b36f-46d838ef85b2.filesusr.com/ugd/fbccce_7cbb8ecd250a4f2192141de55a43108c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fd4e698-55ec-4b93-9e17-7fca6e5d930b/how_to_delivering_your_speech.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e92d.bin
640d17ab8d86b9adfddce0595b775cc5d0df732145a52719eaa06081c3b5fb00		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE92D 4996 bytes
font_01_sfnt_off0000fa22.bin
cf651e4e9ce28db43fee3d6e86be7c443a0e8e86ef4dd413e7cc88952d2a65ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA22 3024 bytes
font_02_sfnt_off00010556.bin
01b959f5dae0f623f642d22337daa8be8b7c33ac4063ed9b332f4572839f7cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10556 12808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.