Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed1267b4cb8a0932…

MALICIOUS

PDF

81.0 KB Created: 2021-04-16 22:46:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e81ac2c2b1521af4a5e6f610be92c51f SHA-1: 510781ca29a0fbf028aa7ce55e8a01bd6f9ec520 SHA-256: ed1267b4cb8a0932870ddc064ea3b6a920242dfc458f1feff4695f8b5e07bd61
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm, indicating it is designed to host numerous external links. One of these links, 'https://jumiwimov.ru/strik?utm_term=best+book+to+learn+python+for+beginners+in+india', is flagged as unknown reputation and is likely the primary malicious destination. ClamAV also detected this file as 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0', further supporting its malicious nature. The document body, though heavily obfuscated, appears to contain text related to learning Python, suggesting a lure for users searching for educational resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=best+book+to+learn+python+for+beginners+in+india
    • https://guxitubekin.weebly.com/uploads/1/3/4/2/134267073/5ea07.pdf
    • https://dezilitew.weebly.com/uploads/1/3/4/7/134728488/5666011.pdf
    • https://libepofiko.weebly.com/uploads/1/3/1/4/131483361/1293617.pdf
    • https://kigijogi.weebly.com/uploads/1/3/4/7/134702755/mujetef.pdf
    • https://pabarubuvu.weebly.com/uploads/1/3/1/3/131379718/8722821.pdf
    • https://waramexebogod.weebly.com/uploads/1/3/1/8/131856917/zozok-sitexonarigoker-xikekobopunop-wasoj.pdf
    • https://damatabawapu.weebly.com/uploads/1/3/1/3/131379320/mosasunine_bagomirom.pdf
    • https://turoliletipusu.weebly.com/uploads/1/3/5/9/135969349/0107a05.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d243c615-e75f-49df-b176-712a21b7db08/pharmacotherapy_handbook_10th_edition_download.pdf
    • https://20128683-61eb-4207-b985-d468b1a81fea.filesusr.com/ugd/0049ca_c7f6984b675e460996ab5d20c3a92149.pdf?index=true
    • https://9a4b5e96-23fe-4021-9525-787506808755.filesusr.com/ugd/b3318b_0c03aa48c6154eb6a6bbb0edcc8c8620.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5f2bacbc-0a27-4a88-a507-11da3e7bed5b/excelsior_springs_hospital_physical_therapy.pdf
    • https://uploads.strikinglycdn.com/files/e42e97f8-b131-4851-a06c-df5f5d2efb8a/pawunobalaxiwenisemajo.pdf
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_a5d088e4f4a34afa81434137a0a437f8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0d0481f9-b438-46be-91fa-b35c8457f221/distinguish_between_bacterial_and_viral_infections.pdf
    • https://27dd58ca-3bab-4825-b0a2-cb75a9f796de.filesusr.com/ugd/aba4c5_91c43bd8674b4312afda4732a49e0693.pdf?index=true
    • https://680e7e7f-99bb-4309-8a01-ecc910dc7690.filesusr.com/ugd/717a42_c5df2d42f1dc4e94919215d443e887f0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ca41d07b-c2e4-419a-b2d5-e6ebf6619f76/mitsubishi_mr_slim_heat_not_working.pdf
    • https://d52369c8-37f2-40d9-9d5f-d682b3b4a2e4.filesusr.com/ugd/6d5a7b_c65b5fdf78f74ce695b3472bf99e6368.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ccd19ab5-824f-40db-9c32-02a9d4718f6b/invisible_define_in_a_sentences.pdf
    • https://uploads.strikinglycdn.com/files/0cf88299-10bf-4b76-994f-61a490cd58df/netgear_wnr3500l_v2.pdf
    • https://uploads.strikinglycdn.com/files/f35c6bd6-3e9c-42c2-84a7-6c14b1511f83/betego.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5da.bin
6029b58b69a1dab5a8dbf71d307a6e34d49f7ab45f813ed72d104ca7a654eebf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5DA 5660 bytes
font_01_sfnt_off0000f928.bin
a4351a97445d8ee7f08121da883d4ac08863436d68dcf733f4a56ef38fee13ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF928 10772 bytes
font_02_sfnt_off00011e32.bin
dbab3740e3f091b57561c0e871950baf864a19485f3b616cc3fb640b54b9d488		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E32 16796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.