Malicious PDF — malware analysis report

Static analysis result for SHA-256 f151183d2e3162ce…

MALICIOUS

PDF

69.4 KB Created: 2021-04-05 13:53:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 795a8b69551478ec47bfb57da18bcfa0 SHA-1: d20c7870c957391838329fb33fd10e2b5c1ceef7 SHA-256: f151183d2e3162ce91c0ef15f50aebe11f11f835d19b54d7b3f5eb4f636e70df
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or SEO spam operation. One of the embedded URIs, 'https://vilenefex.ru/wix?keyword=toshiba+laptop+battery+pa3817u-1brs+amazon', appears to be a lure for users searching for specific products. No scripts were extracted, but the PDF structure and numerous external links point towards a malicious distribution or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=toshiba+laptop+battery+pa3817u-1brs+amazon
    • https://tidemipevu.weebly.com/uploads/1/3/0/7/130740592/vediji.pdf
    • https://lixezakokigek.weebly.com/uploads/1/3/4/5/134596317/efc2921e.pdf
    • http://ninuwekevap.scienceontheweb.net/database_management.pdf
    • https://domenotupeloli.weebly.com/uploads/1/3/4/6/134685365/7194553.pdf
    • https://wedufejaf.weebly.com/uploads/1/3/4/0/134018106/dexojazeju-judegovilus.pdf
    • https://zaxavafu.weebly.com/uploads/1/3/4/3/134323176/tugawududitarate.pdf
    • https://cdn.sqhk.co/tenalewi/ihsRxgc/mewe_app_for_mac.pdf
    • https://static.s123-cdn-static.com/uploads/4426815/normal_6008d5a5c3f99.pdf
    • https://cdn.sqhk.co/nomazotesi/0wGgjha/53216304859.pdf
    • https://gulezawajure.weebly.com/uploads/1/3/1/8/131858287/44dce.pdf
    • https://cdn.sqhk.co/supesuvepo/hi0jd8G/crashlands_multiplayer_pc.pdf
    • https://static.s123-cdn-static.com/uploads/4418991/normal_5fca5de843bf1.pdf
    • https://teseresoj.weebly.com/uploads/1/3/4/6/134644138/4433695.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bajupigirosinaf.atwebpages.com/appalachian_trail_map_pennsylvania.pdf
    • https://s3.amazonaws.com/xufoxorog/tedegudito.pdf
    • https://s3.amazonaws.com/fuzafuzeruwit/37050920089.pdf
    • https://s3.amazonaws.com/peveziwoguxuzam/pinawevuriko.pdf
    • https://s3.amazonaws.com/lazolu/mijiviromowasi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d00b.bin
8f7ec751c8220fcc9b5aabc663a36dd3ac1b6876f90d24d124c957022f32e34b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD00B 5820 bytes
font_01_sfnt_off0000e3cc.bin
43b241a48e9ae5584c1ada9953fc52a3ee890365d6ca313d9d2f2c259174c733		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3CC 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.