Malicious PDF — malware analysis report

Static analysis result for SHA-256 f83f5845c6822ed9…

MALICIOUS

PDF

76.3 KB Created: 2021-03-14 21:49:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e5ab77657fbdbb9a62c7688bd7c245a5 SHA-1: 00f64b9315a4fe25a17267d8113d6046c90ec083 SHA-256: f83f5845c6822ed9cf647059b143f5ad033d205b5a5c4be128776d7719081966
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The document body, though heavily obfuscated, suggests a lure related to 'sheet music', which is likely a pretext to drive users to these external sites. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9770

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=tonight+west+side+story+sheet+music+pdf
    • http://fozivot.mypressonline.com/biblioteca_de_alejandria_historia.pdf
    • http://desokore.medianewsonline.com/81610483333.pdf
    • http://jirenaxapibetig.scienceontheweb.net/dovekobebeworekimodi.pdf
    • http://fozivot.mypressonline.com/jeppesen_vfr_charts.pdf
    • http://tusiteguluvora.getenjoyment.net/remstar_pro_m_series_replacement_parts.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f37c3615-20b0-4e70-b1e7-2acf34113780.filesusr.com/ugd/1e533a_3adaea2b24a44ebfbbd315619e319c2b.pdf?index=true
    • https://c4cd0dbc-23d7-4f11-b65f-2561cec8abe5.filesusr.com/ugd/516793_53cfbed3e8664e78af9f8868248ebe4a.pdf?index=true
    • https://s3.amazonaws.com/pevarijidasalop/63077846452.pdf
    • https://s3.amazonaws.com/setikizo/6886633275.pdf
    • https://6762652a-e869-40f3-960d-1446d4066230.filesusr.com/ugd/55e6b1_642591e31d3544d58783d6e731cca5e1.pdf?index=true
    • https://s3.amazonaws.com/buwosevax/what_are_the_objectives_of_audit_over_sales_inventory_fixed_assets_purchase_and_accounts_payables.pdf
    • https://uploads.strikinglycdn.com/files/a2409fbd-fa2d-4e84-985e-777ef5886b44/90187241370.pdf
    • https://0503187d-52cd-4237-9521-a3cb9bf551ae.filesusr.com/ugd/5bb01c_0bdb6546aafc46228d5bd2634918a376.pdf?index=true
    • https://58eafb2e-ea74-4523-a1b2-d2e0fe9bfe54.filesusr.com/ugd/466fa0_45883498d10c4519b70f3ab8675f324b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d52cd492-6709-4381-9589-6af0ba9248b5/globus_travel_reviews_ireland.pdf
    • http://bitujiduruv.myartsonline.com/abiotic_synthesis_of_organic_monomers_and_polymers.pdf
    • https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_5387df41d5c843d9ac34fa099be731a7.pdf?index=true
    • https://s3.amazonaws.com/ximupuv/2000_jeep_grand_cherokee_no_start_problem.pdf
    • https://uploads.strikinglycdn.com/files/34905f00-bd88-41a1-86ab-038127fbdd65/52156959358.pdf
    • https://uploads.strikinglycdn.com/files/086174d3-2d72-4ef0-8546-e963b9550241/what_the_bible_says_about_mothers_and_sons.pdf
    • http://xijejuvi.myartsonline.com/what_is_the_toughest_sql_query_optimization.pdf
    • https://uploads.strikinglycdn.com/files/4bdb0ee2-91ae-445c-aceb-7c1ecb7b4e84/puxibud.pdf
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_2ac5f3709415462b9099e0930d4185ae.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8c5.bin
12b22abdac0262e9ff565712193574d148059307665ae5a1c6a5980a743edce6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8C5 5468 bytes
font_01_sfnt_off00010b57.bin
d5ecb11a7a86c218c477ad73499b60ea11e716fb34f22d1bf0571ad34bc751ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B57 10916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.