Malicious PDF — malware analysis report

Static analysis result for SHA-256 e698e77345cc4579…

MALICIOUS

PDF

81.2 KB Created: 2021-05-26 14:16:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d9b9ea1c0ac52f87f94f31134273939b SHA-1: be68fa98c8b262c24a132eb73707f7cfd99e79a7 SHA-256: e698e77345cc4579f2fd48db20e7411ebddc6389671bcc3651f51548aeae38a5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. One of the primary external URLs, 'https://seumenha.ru/wb?keyword=present%20progressive%20verb%20tense%20worksheets', is likely part of a malicious campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wb?keyword=present%20progressive%20verb%20tense%20worksheets
    • https://cdn-cms.f-static.net/uploads/4412170/normal_603540bd42502.pdf
    • https://cdn-cms.f-static.net/uploads/4446174/normal_603c68bc7501e.pdf
    • https://cdn-cms.f-static.net/uploads/4482228/normal_60657abd663df.pdf
    • https://cdn-cms.f-static.net/uploads/4481663/normal_5fd662188f8cf.pdf
    • https://cdn-cms.f-static.net/uploads/4369663/normal_60545ce2cb517.pdf
    • https://balolemarivapi.weebly.com/uploads/1/3/5/3/135309218/1693255.pdf
    • https://static.s123-cdn-static.com/uploads/4422877/normal_5fcf421e95a16.pdf
    • https://cdn-cms.f-static.net/uploads/4367911/normal_60176c1ea6d4b.pdf
    • https://static.s123-cdn-static.com/uploads/4383930/normal_5fed93e989f06.pdf
    • https://cdn-cms.f-static.net/uploads/4447630/normal_6024513501f2c.pdf
    • https://cdn-cms.f-static.net/uploads/4473030/normal_6015415cc59eb.pdf
    • https://cdn-cms.f-static.net/uploads/4446166/normal_6015de3c33cae.pdf
    • https://wutupebepa.weebly.com/uploads/1/3/3/9/133997315/e9fc8a99cf575.pdf
    • https://cdn-cms.f-static.net/uploads/4470207/normal_605b7f84378df.pdf
    • https://jotesufuxave.weebly.com/uploads/1/3/1/4/131483421/80f29e5e59.pdf
    • https://jimutovila.weebly.com/uploads/1/3/1/8/131856698/wipuvu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/3f48be9d-e485-4ede-a7a3-199375840c02/80549068211.pdf
    • https://uploads.strikinglycdn.com/files/13d6c468-da29-4c35-b639-67aca0a59463/reasons_why_finland_has_the_best_education_system.pdf
    • https://uploads.strikinglycdn.com/files/615395e4-5f8c-4347-90da-dbd6c5a83e66/pedulesuti.pdf
    • https://uploads.strikinglycdn.com/files/56f0f9db-f79b-4acf-8dbf-c61b6044a972/gonub.pdf
    • https://uploads.strikinglycdn.com/files/c62eaaf6-5e0f-413a-adcc-9e4356fb710f/dunkin_donuts_matcha_latte_carbs.pdf
    • https://uploads.strikinglycdn.com/files/bf8fd125-1178-4a60-8cc5-1d727768948e/snapper_classic_riding_mower_price.pdf
    • https://uploads.strikinglycdn.com/files/d0c17843-fdb1-4dfb-93da-90298a69760e/teaching_reading_comprehension_strategies.pdf
    • https://uploads.strikinglycdn.com/files/e7a23bab-b624-4090-a723-592b0a86398e/persuasive_letter_writing.pdf
    • https://uploads.strikinglycdn.com/files/887f8a2a-a85f-432f-802d-225f8a1be110/tozufopesuvipewuxoxil.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f40a.bin
beb716d574a4f9729db5392f7e1d4abad06728243211727ca849fb25bb108439		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF40A 4984 bytes
font_01_sfnt_off00010504.bin
d12a41d65fdc90dddfeb26c96207373282181c9048bb256c556ea2c2598d316f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10504 10476 bytes
font_02_sfnt_off000128c9.bin
ad623bc7c681097dfa1224999cf6cc6072d3ca9a137655dc1129b0261f0b357c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128C9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.