Malicious PDF — malware analysis report

Static analysis result for SHA-256 e77b27ef3c563bcc…

MALICIOUS

PDF

74.1 KB Created: 2021-06-07 16:24:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0fe60d163febc8612107bc90946b37a9 SHA-1: ce9b3fa00d8991128b16de4cfd08965a8cff778a SHA-256: e77b27ef3c563bcc5f669a15db314a68878da9ff969b0613c7004cfbcf0329d2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on Weebly and Strikingly. The primary URL, infrive.ru, suggests a potential phishing or spamming operation. ClamAV detection and ML classification confirm the malicious nature of the file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/pbw?utm_term=what+does+poor+richard%2527s+almanac+mean
    • https://luwujapi.weebly.com/uploads/1/3/4/7/134751522/8639046.pdf
    • https://xizidalubatud.weebly.com/uploads/1/3/4/5/134583516/wakukevilan_vuzinigererogib_vezifazuw.pdf
    • https://gesovomovo.weebly.com/uploads/1/3/4/7/134716395/8104594.pdf
    • https://vitumiwoz.weebly.com/uploads/1/3/4/6/134697216/1263147.pdf
    • https://pujibotawajifuw.weebly.com/uploads/1/3/1/3/131379639/8795817.pdf
    • https://noxojinuk.weebly.com/uploads/1/3/4/4/134479051/5cf3081ff85.pdf
    • https://cdn-cms.f-static.net/uploads/4484115/normal_5fea0dc38666e.pdf
    • https://juladugalevatib.weebly.com/uploads/1/3/4/3/134385664/lexojegepanevi_wesiraduwati_xugimijolokena_wireserudizozam.pdf
    • https://jirukikemika.weebly.com/uploads/1/3/4/3/134310088/2079776.pdf
    • https://menudapopejit.weebly.com/uploads/1/3/0/7/130775932/a3cfb2a0a796.pdf
    • https://static.s123-cdn-static-d.com/uploads/4476943/normal_60b1a6212673f.pdf
    • https://zipuboxovasabe.weebly.com/uploads/1/3/1/4/131483293/8116673.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e78ce2d7-ff0d-4ca2-b14b-8f03885f2106/mortal_instruments_city_of_bones_book_review.pdf
    • https://uploads.strikinglycdn.com/files/adbf81de-40b5-4edb-83b2-54b124f60d20/who_is_cilka_in_the_tattooist_of_auschwitz.pdf
    • https://uploads.strikinglycdn.com/files/b9d3254f-dce9-4ca5-b509-4324985e4852/gulubixapurof.pdf
    • https://uploads.strikinglycdn.com/files/1ea603e7-ff46-4e0b-acee-84db3f4dce02/que_significa_fidelidad_en_la_biblia.pdf
    • http://rabopadob.pbworks.com/f/sniper_assassin_5_short_circuit.pdf
    • http://vafobotigef.pbworks.com/w/file/fetch/144631638/69540244884.pdf
    • https://uploads.strikinglycdn.com/files/09e7eec9-feb4-4a4c-ab3c-d77a87e2f4ac/rekeriwaxedarunanuka.pdf
    • http://bovozajezo.pbworks.com/f/gutobenaremasonukaxuk.pdf
    • https://uploads.strikinglycdn.com/files/fa6378fb-ab3e-4847-bd94-3357cb85dd41/57651260431.pdf
    • https://uploads.strikinglycdn.com/files/7dc36c1c-a91a-419e-8071-1fdc293835f9/download_the_lost_book_of_thomas.pdf
    • https://uploads.strikinglycdn.com/files/9cdcd7d1-5216-4e79-9b01-cda6732239eb/fallout_4_all_map_locations_perk.pdf
    • https://uploads.strikinglycdn.com/files/2dc3690a-c6d0-4c6c-8e81-9c5a05b6c60b/exercicios_adjunto_adnominal_e_adverbial_7_ano_com_gabarito.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e516.bin
fd2a32ecb07da3e9c20a66cb4692fe1ac6078660fbf420119299a2ebd7f31235		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE516 5360 bytes
font_01_sfnt_off0000f73a.bin
eb612d3a3bac9f856c2a6b2a703937e4dc85a143a69ab37f662a8b76b9867d8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF73A 10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.