Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8733747465c4617…

MALICIOUS

PDF

79.7 KB Created: 2021-03-27 12:17:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b46ee7490a0cd3ff9ebf3fed071029b4 SHA-1: dc82c3a92b7fb2f24035ae9a19f3a63b4b05ccc7 SHA-256: e8733747465c461720fc478475dcaa922d1842dcae9ab95b6838f90d96466175
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign PDF files, suggesting a link farm or SEO poisoning attempt. One prominent external URI, 'https://jottigo.ru/strik?utm_term=descriptive+essay+topics+asked+in+bank+exams', is likely the primary lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=descriptive+essay+topics+asked+in+bank+exams PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://e8c82854-2a0b-4c0f-82de-bac600ce06e6.filesusr.com/ugd/d017d5_c65e2448fe9c40ddbb762f8531d36efe.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/939487de-1f16-4503-a154-61eeeafa7f9f/53924278378.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aaca8c81-d618-49bc-bbeb-831affb3e120/95694049931.pdfIn PDF document text
    • https://3d7c42e8-cad9-4196-8f3c-0f210fd97588.filesusr.com/ugd/1b7c00_728ea9a08827465e83b5a62f2622b409.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jazuravazaguz/cba_codigo_brasileiro_aeronutico.pdfIn PDF document text
    • https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_7e99a159e3dc404eb479ea211cd4b4a1.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/padadutiseni/seriki_agbalumo_mi_instrumental.pdfIn PDF document text
    • https://s3.amazonaws.com/kiwopusafize/51924714398.pdfIn PDF document text
    • https://s3.amazonaws.com/desenaz/ultrasound_scan_report_boy.pdfIn PDF document text
    • https://s3.amazonaws.com/juwofuxufijup/neet_2020_form_last_date.pdfIn PDF document text
    • https://s3.amazonaws.com/paxuvagal/access_to_information_and_privacy_act_cic.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0926c07b-40c1-495e-abb9-1fddb830eb01/jack_lalanne_fusion_juicer_instructions.pdfIn PDF document text
    • https://s3.amazonaws.com/penefelomiju/ewg_guide_to_safer_sunscreens.pdfIn PDF document text
    • https://237a2310-9536-43ad-add1-fe73b840a51a.filesusr.com/ugd/8b319d_7dca80de73c74b5789a96fe15f7eacbd.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0105f4f0-7194-47ff-b868-67a5b24c4311/bulking_meal_planner_app.pdfIn PDF document text
    • https://1f2f8e77-98df-4c5e-b88a-83bc2b612b58.filesusr.com/ugd/5c7528_de0af3455254493fabb7baee979f27ad.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zoromexemuzid/pisarofawap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fba5f859-1b72-4ca1-920d-b35093b9fa5e/rugexuku.pdfIn PDF document text
    • http://jidibavozajo.epizy.com/nios_assignment_front_page_image.pdfIn PDF document text
    • http://katufimeg.rf.gd/learning_arduino_code_language.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f72c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF72C 5620 bytes
SHA-256: 9ef4f279bc74f200b5ba4e25e9930fa17bcb41de2fcc01b7c371b966168e932e
font_01_sfnt_off00010a4b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A4B 11160 bytes
SHA-256: 056959c8d9b46924a64dc5b7dbc71fc3adc989d67a19981359a1dc2e70701fcb