Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed5f9147b81cc70f…

MALICIOUS

PDF

81.9 KB Created: 2021-03-16 23:32:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d73a30429cf24412d47896c303385dd SHA-1: 7b0b614918f90446dff5958266f76afb32b3af6d SHA-256: ed5f9147b81cc70f8e92cebf0f4b4feffa4979ec1f9a55b4f4048b735f599508
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' suggesting a large number of outbound links. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the overall structure point towards a phishing or malware distribution scheme, likely using the document body as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=make+your+bed+pdf+online
    • http://forecast.bet/57770049655c46sl.pdf
    • http://servisvds.ru/84101981820w080m.pdf
    • http://italysummer.fun/5474870365qrwtc.pdf
    • http://pejazadajenatew.getenjoyment.net/cad_2020_convert_to_dwg.pdf
    • http://keepqifi.space/eureka_vacuum_not_turning_on91z7z.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/60e60fc7-1f69-493b-90ec-7c579c2507c2/weromopewuzevanijinoso.pdf
    • https://uploads.strikinglycdn.com/files/2c83c26f-7df7-4f45-b737-b8fbcdb2017b/ghatna_chakra_english_book_free_download.pdf
    • http://zudupaxub.myartsonline.com/sorosuzevulujipiv.pdf
    • http://jutagejefutix.atwebpages.com/what_is_the_grounded_theory_equivalent_of_case_node.pdf
    • https://uploads.strikinglycdn.com/files/268310f6-17e9-4d43-b29c-d53b60da37a4/free_printable_daily_weight_loss_chart.pdf
    • https://s3.amazonaws.com/lanubili/thanksgiving_dinner_list_template.pdf
    • https://aee666f7-65d2-4416-8089-42e5bd85255d.filesusr.com/ugd/c4036c_535e11c399b247cab937b174ea1471c5.pdf?index=true
    • https://s3.amazonaws.com/pazovugal/dizupesabebole.pdf
    • https://uploads.strikinglycdn.com/files/85d63d53-e776-4c83-bb20-7366fa0c2d8b/41105726525.pdf
    • https://uploads.strikinglycdn.com/files/58561365-99dd-4a40-b3cb-3e0da6550c1c/trig_identities_isosceles_triangle.pdf
    • https://uploads.strikinglycdn.com/files/6e8cd408-e489-4a58-9942-2453f1fc634d/90412907639.pdf
    • https://uploads.strikinglycdn.com/files/8940f610-4a1d-4d12-83e0-909b75a0e409/typography_logo_design_illustrator.pdf
    • https://c4cd0dbc-23d7-4f11-b65f-2561cec8abe5.filesusr.com/ugd/516793_b559d0ec2de94a5e848da9e2cf440879.pdf?index=true
    • https://s3.amazonaws.com/natewared/7610557926.pdf
    • https://s3.amazonaws.com/sesafefanulokam/63486984504.pdf
    • http://ligiwekuxote.myartsonline.com/alfred_piano_books_for_beginners.pdf
    • https://535a9070-e28a-464b-adc5-c02ad08be00b.filesusr.com/ugd/9df9d6_811db3944315460e8a35b63a542fc19b.pdf?index=true
    • https://s3.amazonaws.com/wibedubosateg/cyber_security_file.pdf
    • https://uploads.strikinglycdn.com/files/1f8e5c5c-3d25-40a3-bf7b-ea78f74e856b/rain_dial_rd-600-r.pdf
    • https://58eafb2e-ea74-4523-a1b2-d2e0fe9bfe54.filesusr.com/ugd/466fa0_f6cd00ec3a4e4741a029870fe1b603ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a22aa86c-de7f-4d49-90ae-98a949ceb11f/99430432545.pdf
    • http://dapizodipe.myartsonline.com/le_robert_collins_french_english_dictionary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010199.bin
4dfe7f684f76e2ce7d8a3ca74e286519d0b286ee895bd7d94fe1923735e16a4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10199 5168 bytes
font_01_sfnt_off00011354.bin
c7c731abb73b364e8578fca57dbcb59ecba11d4639f79b80fc4be397164f45e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11354 11348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.