Malicious PDF — malware analysis report

Static analysis result for SHA-256 f785528a52e4ef1e…

MALICIOUS

PDF

83.3 KB Created: 2021-03-24 12:59:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60837608c80b684bbf309514a130c81c SHA-1: 4b39d9007539aaa2ffebc7d81842d2d931d6a730 SHA-256: f785528a52e4ef1e53deef7e4b11453a2b50e1bb71cb8199988af65e79d275b8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified as a "PDF link farm" heuristic, suggesting an attempt to redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically classified as a "Phishing Trojan". While no scripts were explicitly extracted, the PDF structure and embedded URIs point towards a malicious document designed to lead users to potentially harmful content or downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=epic+pi+day+word+search+answers
    • http://fopokigife.mywebcommunity.org/murmurs_of_earth_the_voyager_interstellar_record.pdf
    • http://kijofizovurisos.medianewsonline.com/44722639454.pdf
    • https://static.s123-cdn-static.com/uploads/4488315/normal_5fe3e22a249b9.pdf
    • https://static.s123-cdn-static.com/uploads/4452148/normal_5ffc976ae437e.pdf
    • http://kavelokafozi.medianewsonline.com/ackerman_s_account_application_form.pdf
    • http://xufuzema.sportsontheweb.net/bsc_part_2_chemistry_practical_book.pdf
    • https://static.s123-cdn-static.com/uploads/4459641/normal_5ffbe30aefd21.pdf
    • https://static.s123-cdn-static.com/uploads/4423454/normal_6007fa4659fad.pdf
    • https://cdn-cms.f-static.net/uploads/4406777/normal_60127f09a9feb.pdf
    • https://static.s123-cdn-static.com/uploads/4459784/normal_5fe4dc3f56edc.pdf
    • https://static.s123-cdn-static.com/uploads/4392237/normal_60024ebf54535.pdf
    • https://cdn-cms.f-static.net/uploads/4444852/normal_600ca28fb01a8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://mubodadekutaxim.atwebpages.com/newusiredasufexi.pdf
    • https://6d5fec37-5936-4ae8-8938-03a86e982f09.filesusr.com/ugd/d4da64_719bec3a82eb407593472839b4a9b1c3.pdf?index=true
    • https://528f6e5c-6927-42ef-b7a5-a8f9c349750c.filesusr.com/ugd/07b979_1fa4a53185994468b119c10ffd71df7c.pdf?index=true
    • https://c6de0af5-2a4c-46da-924c-839bccb102c6.filesusr.com/ugd/5f1f0f_3bd810db0b5c42edb0f5d37edf01aa30.pdf?index=true
    • https://ff0b3df2-dc61-4aeb-9024-93fa9b5bc175.filesusr.com/ugd/aa14a9_45bbee7d0c6549abbf08a6495e250734.pdf?index=true
    • http://dozuxix.myartsonline.com/wolf_range_parts_list.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000faea.bin
8f207c184c9ad0cd3c279fb0b57667af3955c178ded2d0084b543c527b6d156c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAEA 4988 bytes
font_01_sfnt_off00010bde.bin
cf75420d9bafdb331ea57e798f8a8cf7c4c8f214708f291f2a1b2d1b7dde3624		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BDE 11256 bytes
font_02_sfnt_off00013222.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13222 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.