Malicious PDF — malware analysis report

Static analysis result for SHA-256 e667862748a34eeb…

MALICIOUS

PDF

96.7 KB Created: 2021-04-13 08:48:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24eba5cb6ef6cc68bd8ecccfe3fbf6da SHA-1: 210cf2cd2fb4e55786371770952ab12ad1badf01 SHA-256: e667862748a34eebd87fa5818921be1ef381abf9102dd296312b834a62681964
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a tactic to manipulate search engine results or distribute malicious content. The presence of ClamAV detection and a high ML classifier score further indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links point towards a phishing or content-distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=the+maze+runner+3+trailer+ita
    • https://cdn-cms.f-static.net/uploads/4527859/normal_60241d6b7d2d0.pdf
    • https://cdn-cms.f-static.net/uploads/4495686/normal_60431c1a1ba41.pdf
    • https://cdn-cms.f-static.net/uploads/4369654/normal_6021a35a529db.pdf
    • https://cdn-cms.f-static.net/uploads/4380228/normal_604a13517a24e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_da74a48e66af4c7daa371b4ecbe84c34.pdf?index=true
    • https://s3.amazonaws.com/dobikasukavu/runemiwirekadeb.pdf
    • https://ff5d1526-1eb9-447d-8915-67ca9933f1b4.filesusr.com/ugd/9565fd_cb15819bba3e4af095595981b3e292ed.pdf?index=true
    • https://dc273c12-e125-4738-b2e6-b96bc4bd5eb7.filesusr.com/ugd/c8df25_647271ee0a154ee3a8032adb2d0027de.pdf?index=true
    • https://s3.amazonaws.com/zaxefemebidaz/lubotudalijisoxigetudag.pdf
    • https://245ae9ba-e923-43ed-bc11-30ed5d1acd78.filesusr.com/ugd/051519_af48e7cc7a154f37b64fcdd8eed75784.pdf?index=true
    • https://s3.amazonaws.com/zaxawetawupo/2004_honda_van_tire_size.pdf
    • https://288dffde-0386-48bd-adba-b069b5f3b70f.filesusr.com/ugd/7e1b39_014f9de68ed3408fa94c54bad0b4dfb5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c802b472-aa98-4e5f-ba78-f0a21ce35dd6/95255391297.pdf
    • https://e9155d39-0f7d-4366-9ee8-34e17fe3d773.filesusr.com/ugd/9e05b8_8ca5739f79c24df2bfb3df40186c22fe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8102312c-c9cf-44ff-a6d2-e360ca29ff87/atem_television_studio_4k_software_download.pdf
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_f76a396d2bd74e0a802db100aa9b29c5.pdf?index=true
    • https://s3.amazonaws.com/vososasoxumete/james_patterson_books_uk.pdf
    • https://ce55c564-0e79-48ac-bd91-a034cff8554b.filesusr.com/ugd/bd1fc0_9ebedd477bea42598a3028456738f6ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/221d0be0-ea0c-4d66-b675-ee8c02c2c46e/online_demat_account_opening_siddhartha_capital.pdf
    • https://s3.amazonaws.com/kugelilizibuwum/94383477595.pdf
    • https://uploads.strikinglycdn.com/files/f701c96c-555e-46bb-a7ed-08610b98dc1f/tigafasonuzogemona.pdf
    • https://uploads.strikinglycdn.com/files/e36c8795-e47a-46e4-86d2-b3898d9d2fab/10924537484.pdf
    • https://uploads.strikinglycdn.com/files/81a4ccb3-9a99-4560-ac12-611a48536e73/23394033075.pdf
    • https://uploads.strikinglycdn.com/files/c36f1cf4-1fe1-49c5-a522-2a049740e8c2/95223729057.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013d37.bin
4b79b293f1923742e80c080e319fd37f261e8ae61cbb447aaf94baee1cd4be04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D37 4908 bytes
font_01_sfnt_off00014dbf.bin
f7a4b0f9fd0e23fbe66bd6072ce3b79aa51120129c272e5b5b981a25d808c102		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DBF 11568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.