Malicious PDF — malware analysis report

Static analysis result for SHA-256 f56350bf6c09052d…

MALICIOUS

PDF

68.8 KB Created: 2021-03-16 11:02:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75e4f7852bc23458c643932955b66897 SHA-1: d0e82462d1dfe60291f2f6499a0e617fcc3d527f SHA-256: f56350bf6c09052d1f47228bbebfc84c8794be359ccff78c9f5a7a071dca016d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to 'pelibifir.ru', which is likely a malicious domain used for phishing or distributing further payloads. The PDF structure also indicates a link farm, suggesting an attempt to manipulate search engine results or distribute content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=reading+log+template+google+sheets
    • https://cdn-cms.f-static.net/uploads/4390684/normal_5fd8f6ec5e3eb.pdf
    • https://cdn-cms.f-static.net/uploads/4371025/normal_600c1e94dec8d.pdf
    • https://cdn-cms.f-static.net/uploads/4481993/normal_601c9b447d583.pdf
    • https://gagavupotiwek.weebly.com/uploads/1/3/0/8/130813998/4488800.pdf
    • https://tiseworadew.weebly.com/uploads/1/3/5/3/135317060/250446.pdf
    • https://jetasiduneka.weebly.com/uploads/1/3/4/5/134586997/zisevimutova.pdf
    • https://static.s123-cdn-static.com/uploads/4385216/normal_5fe2504df3452.pdf
    • https://namowabe.weebly.com/uploads/1/3/4/0/134000139/kewifavofivewasobud.pdf
    • https://cdn-cms.f-static.net/uploads/4458622/normal_602b6b55ea708.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/699fd7bb-0787-4532-b992-e70983575ac9/quadratic_equation_vertex_form_to_intercept_form.pdf
    • https://uploads.strikinglycdn.com/files/a7eadbef-54d3-41a7-9302-cfb8a741b043/27236539135.pdf
    • https://uploads.strikinglycdn.com/files/d6a185b4-d46a-4a6f-b685-0079a9f08a86/how_to_start_a_roomba.pdf
    • https://uploads.strikinglycdn.com/files/a06ae4a8-c2d1-4753-854d-abde567c96ec/the_gabriel_method_morning_visualization.pdf
    • https://uploads.strikinglycdn.com/files/5b6c1358-8e0f-4adb-8b30-020dd6e09779/what_is_the_history_of_china_and_hong_kong.pdf
    • https://uploads.strikinglycdn.com/files/c95e0108-abf3-45a4-83b8-8b6e4366ff0c/73473983309.pdf
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_4c152bace59c43b291469dbcff0b27fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5038a210-fbd5-496c-8034-79cfe762c5e7/the_twilight_saga_2010_movie_download_in_hindi_480p.pdf
    • https://uploads.strikinglycdn.com/files/0d80c675-e373-4241-adde-23f1fcc03e2e/ropemawisomaro.pdf
    • https://uploads.strikinglycdn.com/files/f72792eb-32c6-4152-99c3-ce1583fec1c2/my_grandma_got_run_over_by_a_reindeer_movie_free.pdf
    • https://dacf5b84-f80e-4bd8-bb7f-22aad20a1cd8.filesusr.com/ugd/285be4_f79bbd0ae4134551ac2ea8be375cc46c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/85af9420-d75a-4303-81e2-a5b08896f96e/xigujiwilemugu.pdf
    • https://uploads.strikinglycdn.com/files/1f509205-fae1-43f3-80ba-e3aa3903159e/zurixubomabifizu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d01b.bin
d032f26e07e1516ce9f401cb833dcca8263e44576f01736e1b5e314e886b554e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD01B 5284 bytes
font_01_sfnt_off0000e1f6.bin
5b7e468a56af8f44b15fd8f2335da562fbf26f321532b3a5f66d457512b7785d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1F6 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.