Malicious PDF — malware analysis report

Static analysis result for SHA-256 f862ea344d652a6c…

MALICIOUS

PDF

75.4 KB Created: 2021-06-02 21:16:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acdf9116b91fe75f9752e4c6dbec72de SHA-1: d6fea5a10ec330c844c611415fd990293af0e223 SHA-256: f862ea344d652a6c690e5a97676df167dcdd670da7d188807f6b6a42fa69438e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and a machine learning classifier indicated a high probability of maliciousness. It contains a large number of external links, many pointing to Strikingly and Weebly domains, suggesting a link farm or redirection strategy. One prominent URL, 'https://wastran.ru/pbw?utm_term=2+player+fighting+games+unblocked+weebly', appears to be the primary lure, disguised within what seems to be SEO-related content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=2+player+fighting+games+unblocked+weebly
    • https://zitidifomeki.weebly.com/uploads/1/3/1/4/131412181/663fa4247.pdf
    • https://jezinuva.weebly.com/uploads/1/3/4/8/134869759/miwapafoli-gobob-tufisilazunuv.pdf
    • https://juwarojolajekol.weebly.com/uploads/1/3/4/1/134108785/jojusefixubekazi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0e1cce4e-5a91-4bc5-982d-99eda30c93e9/43776796968.pdf
    • https://uploads.strikinglycdn.com/files/4c745612-9b00-4048-894f-fd44df2e7dc3/kulerad.pdf
    • https://uploads.strikinglycdn.com/files/28fcfc06-a5f5-479e-a99b-5c76719108a4/street_dance_of_china_season_1_champion.pdf
    • https://uploads.strikinglycdn.com/files/413a84e5-a10a-4f32-90c9-4b5e732afc6e/26115631677.pdf
    • https://uploads.strikinglycdn.com/files/8649b255-1f15-4e85-af70-aa2e3ee4bca0/net_mvc_interview_questions_for_3_years_experience.pdf
    • https://uploads.strikinglycdn.com/files/2fb5fb0c-4e3b-47c3-bf50-9fb897795531/the_ministers_black_veil_study_guide_questions_and_answers.pdf
    • http://nilanom.pbworks.com/f/global_competitiveness_report_ranking_2019.pdf
    • https://uploads.strikinglycdn.com/files/525ca815-6dd2-4378-ab95-05a6e3366a37/how_to_drain_a_blomberg_washing_machine.pdf
    • https://uploads.strikinglycdn.com/files/f64744ab-9f89-4b69-b1d0-2befec5f3836/nilsson_riedel_electric_circuits_8th_edition_solutions.pdf
    • https://uploads.strikinglycdn.com/files/53dbfe62-259b-420c-9308-09b2aa5eb399/imo_video_call_recording_app_free.pdf
    • http://xovelezid.pbworks.com/f/nujobusuresukopivurimubu.pdf
    • https://uploads.strikinglycdn.com/files/3ceb2194-457b-4a50-a2a5-1f3b65a6acd5/pixalajogapuleti.pdf
    • http://xesimisejek.pbworks.com/w/file/fetch/144503232/lista_de_verbos_irregulares_en_ingles_por_grupos.pdf
    • https://uploads.strikinglycdn.com/files/deac31eb-71f6-4f72-9c29-4815de8c9aea/jamenawotomixevesuvixez.pdf
    • https://uploads.strikinglycdn.com/files/e0b446d6-93e3-4eba-9eb5-260bfee313cb/humpty_sharma_ki_dulhania_full_movie_dailymotion_download.pdf
    • https://uploads.strikinglycdn.com/files/b81e5107-c63c-4065-a7ee-bd2c6f1f8139/gimovedudutuvoxalawewugus.pdf
    • https://uploads.strikinglycdn.com/files/89ce9420-94f9-4c30-8e35-7cb0aa4a40f8/the_game_of_life_vintage_bookshelf_edition_rules.pdf
    • http://dekokos.pbworks.com/f/fur_elise_piano_sheet_music_free_printable.pdf
    • https://uploads.strikinglycdn.com/files/f54050b5-8775-4486-a52a-51dcdc0f5c2d/how_many_calories_in_a_personal_buffalo_chicken_pizza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e86c.bin
d46293bade341b628bc46dd7124b510463e7746adb32b759f96f6ed5a7f10628		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE86C 6004 bytes
font_01_sfnt_off0000fcc3.bin
db7c9062cebc50bba754e9bd82dbc1dee03a569cc8e30270f1c2bcda53830450		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC3 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.