Malicious PDF — malware analysis report

Static analysis result for SHA-256 ece22ea095299e51…

MALICIOUS

PDF

69.3 KB Created: 2021-04-20 04:34:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbeeccaf3e394b4f1e0d6d565a3761c6 SHA-1: d6799fd3d0551eea67001f309bb71c079817bf33 SHA-256: ece22ea095299e51abd87c0e602f879982f69f77111ce659998e035e65eb0551
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' suggests the document contains a large number of external links, with the primary suspicious URL being 'https://pelibifir.ru/strik?utm_term=chamberlain+liftmaster+elite+series+garage+door+opener'. This pattern is often used for phishing or to distribute further malware. No scripts were extracted, but the presence of numerous external links points towards a phishing or content-luring attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=chamberlain+liftmaster+elite+series+garage+door+opener
    • https://static.s123-cdn-static.com/uploads/4377662/normal_60040a85e51bb.pdf
    • https://static.s123-cdn-static.com/uploads/4482218/normal_5fe47ff3d343b.pdf
    • https://static.s123-cdn-static.com/uploads/4382620/normal_5fe059e3b1f03.pdf
    • https://cdn-cms.f-static.net/uploads/4501479/normal_6033c0fb0b533.pdf
    • https://cdn-cms.f-static.net/uploads/4445114/normal_5fd2ddc39ce9a.pdf
    • https://static.s123-cdn-static.com/uploads/4415331/normal_5fe176c6857b0.pdf
    • https://static.s123-cdn-static.com/uploads/4478131/normal_6000e481738d8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/julaxel/ge_elemax_2600_data_sheet.pdf
    • https://f733e552-90a1-4d1f-83ca-a6b36afcf31c.filesusr.com/ugd/38bf1f_5541537c161c4a4f8008bfd583ad3ed4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6c6b6f6f-1692-422b-be99-ef43146a2cef/talajebolupalaresoda.pdf
    • http://mugukogegib.epizy.com/50753753829.pdf
    • https://s3.amazonaws.com/bojafazes/how_to_fit_gentle_leader_easy_walk_harness.pdf
    • https://f06ae689-34e6-4fd9-b749-a5985747e370.filesusr.com/ugd/4117a9_db5324a88f374291a05d46292a11c1d6.pdf?index=true
    • https://df867d32-629d-4b48-af14-2fc5df20f827.filesusr.com/ugd/287761_2f22e3350bbd45c3b00d9f3f30670006.pdf?index=true
    • https://s3.amazonaws.com/puretulenuza/boderigozig.pdf
    • http://xolisijepe.rf.gd/palenakelozudegerusulu.pdf
    • http://xolazituvote.epizy.com/37476443653.pdf
    • https://s3.amazonaws.com/vutame/reading_comprehension_definition_by_scholars.pdf
    • http://puviseb.epizy.com/53833165497.pdf
    • https://uploads.strikinglycdn.com/files/631fcd2c-113c-484a-a57a-b20cf6754a9e/ghost_boys.pdf
    • https://a91873a8-1f5b-4151-915d-af39eb211f25.filesusr.com/ugd/3f80ec_4bb52a3521124a5e88f6e70a5520d7f6.pdf?index=true
    • https://s3.amazonaws.com/lowebemuwojiso/the_chimney_sweeper_songs_of_innocence_and_experience_comparison.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d331.bin
28f6e578748e316fd97f8864bdbb816e45cf17d612e333d779da80a82ef1859d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD331 5500 bytes
font_01_sfnt_off0000e5b1.bin
548f9e239cd467cae1173a2370435d74ccd8045aa2879dd6942546123b5a8492		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5B1 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.