Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecc67bb716108e6a…

MALICIOUS

PDF

91.5 KB Created: 2021-03-30 19:33:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 810edf5c2d8efeaf4e01a6f90b7f7afd SHA-1: e134c3c942fa1031ecadcae25dba689075cffd63 SHA-256: ecc67bb716108e6a0b5f37a676cca72a65af2aca45a665029b08969e74adc002
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged as malicious by ClamAV and an ML classifier. It contains numerous external links, with one suspicious URL pointing to 'xajibur.ru'. The PDF structure suggests it's designed to host a link farm, potentially for phishing or distributing further malware. No scripts were extracted, but the presence of external links indicates an attempt to redirect the user to a malicious resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=camera+360+lite
    • https://xomitemekebok.weebly.com/uploads/1/3/4/8/134881854/migawelemosu_sesewu.pdf
    • http://mavurelaro.22web.org/46719271093.pdf
    • https://kagivosivozavex.weebly.com/uploads/1/3/4/7/134746508/f914e2cea6b43b1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/e2ae3ce0-932c-4e1d-9578-5623403ee085/what_are_the_types_of_shots_in_film.pdf
    • http://turegipamikum.epizy.com/2019_audi_r8_v10_plus_performance.pdf
    • https://uploads.strikinglycdn.com/files/c5d90445-1187-4bec-87fd-28c08ce8dd33/29105682855.pdf
    • http://pidosowot.epizy.com/mini_bobina_de_tesla.pdf
    • https://uploads.strikinglycdn.com/files/1bf1fefc-97d8-4239-8ecc-d1acc9af7096/30919797311.pdf
    • https://uploads.strikinglycdn.com/files/e5f4016d-0bf1-40cd-8417-d9d7be7bb2ce/xawudekonujarogifulufar.pdf
    • https://uploads.strikinglycdn.com/files/ec39693d-7555-4a95-aaf4-4b54b0c9f977/gore_vidal_history_of_the_national_security_state.pdf
    • http://wepaxilex.epizy.com/aparichita_kannada_movie_free.pdf
    • https://s3.amazonaws.com/wivunonovef/parent_contact_log_for_teachers_free.pdf
    • https://s3.amazonaws.com/nolarifaforuxop/despicable_me_2_sub_indo.pdf
    • https://s3.amazonaws.com/dogevazapiwediw/simple_lessons_learned_template_excel.pdf
    • https://uploads.strikinglycdn.com/files/90786531-9dd8-47d3-bd76-78e6a32680d7/62180431006.pdf
    • https://uploads.strikinglycdn.com/files/0c47bb39-9214-407c-bf41-2d43abcc1c18/presonus_fp10_driver_windows_10.pdf
    • http://vomujajimulewut.rf.gd/ronulaxofomiwumazorexol.pdf
    • https://uploads.strikinglycdn.com/files/ccc44fef-8cc3-4732-88fe-b734eb6dd040/naxiv.pdf
    • https://uploads.strikinglycdn.com/files/5bb4a855-7c3a-4ec8-a2e8-c0dc04eb06a4/brown_v_board_of_education_and_the_civil_rights_movement_michael_j_klarman.pdf
    • https://uploads.strikinglycdn.com/files/7aa54678-85eb-4707-a429-69d903791521/kenmore_elite_upright_freezer_door_switch.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea6b.bin
f77bc989ad6e065eed35ba9edcee80420cf7f7456f9239bcf5b317a80c39bd30		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA6B 3232 bytes
font_01_sfnt_off0000f5b7.bin
b05a48d4ad1241d8150ea73f87939e4529242c1dabbaefd871d7340de340f8bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5B7 4708 bytes
font_02_sfnt_off000105a2.bin
15b9128b016d21f2c8b9d0520eb8b91f1393727a403a8af83117b1998297a733		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105A2 4452 bytes
font_03_sfnt_off000111b3.bin
48e7e6bf7af84ae3a07e5860cce27f20a118573631921b113067b49a69f37395		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111B3 11764 bytes
font_04_sfnt_off000139f7.bin
2ff763add402cdcf655b877a47c94f7c3d9ae4e1f3d307255fc0bf0a6e3702f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x139F7 16476 bytes
font_05_sfnt_off0001502c.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1502C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.