Malicious PDF — malware analysis report

Static analysis result for SHA-256 e971a796f1215244…

MALICIOUS

PDF

79.1 KB Created: 2021-03-29 18:56:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 35340b7b9f9dcc13180d6dc09e2c8230 SHA-1: dc1379456f3aceb7dc56bec6220a708c0bd4dcd3 SHA-256: e971a796f1215244ab55383436445adf1b336acb2ba7d3b2b1cd944973b36317
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are SEO-optimized, suggesting a link farm or content-scraping operation. The primary URL, 'https://leonvi.ru/award?keyword=blender+guru+shortcut+keys+pdf', is likely a lure to a malicious or phishing site. ClamAV and ML classifiers also flagged this document as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=blender+guru+shortcut+keys+pdf
    • https://cdn.sqhk.co/jaxugaveg/OhcMcha/idle_landmark_tycoon_mod_apk_unlimited_money.pdf
    • https://jotulamopusojo.weebly.com/uploads/1/3/4/4/134465369/f52250.pdf
    • https://cdn.sqhk.co/fezuvepere/iKjaeih/bescherelle_conjugaison_espagnol_gratuit.pdf
    • http://tawaguf.scienceontheweb.net/fisofijorujalapa.pdf
    • https://kufuzuve.weebly.com/uploads/1/3/4/5/134589172/7850167.pdf
    • https://cdn.sqhk.co/rokunufoleti/hbnt2nM/ocotillo_golf_course_map.pdf
    • https://fasuwilobavofe.weebly.com/uploads/1/3/4/4/134489762/dasovav-vuxabojowow.pdf
    • http://mujudesuxiropa.sportsontheweb.net/37874589874.pdf
    • https://sedogosep.weebly.com/uploads/1/3/4/4/134486754/2274878.pdf
    • https://cdn.sqhk.co/fijumirana/aZ3jaY4/free_download_idle_car_mod_apk.pdf
    • https://cdn.sqhk.co/dediwifime/F9we3ig/casino_theme_birthday_cake_ideas.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2d2b1dae-c014-4902-97e6-c3f1d56915cd.filesusr.com/ugd/70e5f7_f6b36a46784e4e7a89c9c3ea345568b2.pdf?index=true
    • https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_e3197c227f2b4a41ac1daa89763342c6.pdf?index=true
    • https://e9542b43-fb79-4c62-94a9-c66526381fce.filesusr.com/ugd/4142f3_c7b7133ecb7d420ebc15db50b72600f4.pdf?index=true
    • http://nukilaba.myartsonline.com/95904717967.pdf
    • https://9de673a2-3b8e-40eb-bbf5-c0ad8e71a3da.filesusr.com/ugd/bd5c68_40a13f7875dd42528b483c0f8cc72d1c.pdf?index=true
    • https://9e6c4f0b-3406-4274-bf8a-5be7f948d240.filesusr.com/ugd/45c6ff_739b74f8fb2a47fcb1bb094873894cd3.pdf?index=true
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_2e852b3b8272485ca84ece3254d06ea7.pdf?index=true
    • https://72be5e1b-4d14-4335-96ee-88463f604c48.filesusr.com/ugd/57ecfe_d70ffcf7801a4b718cff8f65823c72c2.pdf?index=true
    • https://56a7be67-7dca-40da-a973-69ad719fb73b.filesusr.com/ugd/fedf23_54335754c9474a1e9db137ab224fdd98.pdf?index=true
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_c187e4a764704db99d846be3a8383382.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec08.bin
452a961d651a9daaa3135fdf29702a82db6a358267e5c35512de9511ea365829		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC08 5420 bytes
font_01_sfnt_off0000fe7a.bin
d165ae4d83dd613087195bf72709767423eba952415580ff8d315dee306433fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE7A 1728 bytes
font_02_sfnt_off00010715.bin
024263665282f1a89732389ae0e481f2129f0bba12ec5885e7cc198b3f5ca289		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10715 11712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.