Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb0a093988824fd1…

MALICIOUS

PDF

69.8 KB Created: 2021-03-08 06:02:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: a2438ba63a243ca6f8d01f8ebf837fdb SHA-1: 2d78326d4ef8541387046f0518a641dcc906b032 SHA-256: fb0a093988824fd18ea141b1c8be58b4d5ae45e407054fb55569e50993d946de
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. It contains numerous external links, with one prominent URL pointing to 'xajibur.ru' which is likely part of a link farm designed to direct users to malicious content. The presence of embedded links and the overall structure suggest an attempt to trick users into visiting potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wix?keyword=ap+world+history+chapter+15+quiz PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4368999/normal_6032da0b7501e.pdfIn PDF document text
    • https://cdn.sqhk.co/gorokipo/biiwijC/mibefejofofitasirabok.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403531/normal_6002b54cefc4f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375344/normal_604135297cb06.pdfIn PDF document text
    • http://feldhaus-klinker-plitka.ru/zidumunotr3t3.pdfIn PDF document text
    • https://cdn.sqhk.co/baruduwege/haib8hd/get_cash_same_day_loans.pdfIn PDF document text
    • http://premial.su/277329595464k47e.pdfIn PDF document text
    • http://lnstagramverificationbadge.com/xfinity_tv_box_ethernet_portzb431.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4456398/normal_5ff899913ab06.pdfIn PDF document text
    • https://cdn.sqhk.co/malofavu/gdMA0he/fox_craft_apk.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://51fd5013-30c4-43d1-89ce-86564632a3b5.filesusr.com/ugd/9f06f8_3df88141a93044c984ccd1b158600c4c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zafijukopa/59215379054.pdfIn PDF document text
    • https://254a6a59-343e-4b7e-907c-c4819e171fff.filesusr.com/ugd/decf6f_9ff66b0c84ab46ba9a91558376dca81b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/voxazedisula/80060306125.pdfIn PDF document text
    • https://7ef7ebf0-bcb0-4ca2-8538-5a19c3e9f01c.filesusr.com/ugd/aff7ca_2cc8617b5507402cad4679becbcab404.pdf?index=trueIn PDF document text
    • https://2987c0f4-171e-4473-b3f1-a5468658115b.filesusr.com/ugd/75ff8a_514e0fa1d8ae43b3a3ac30c09fddc03d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/daraniwekamidir/todumoxolovuw.pdfIn PDF document text
    • https://e2666c59-a142-4381-8b57-53dda67c22e4.filesusr.com/ugd/e3c460_850b0812b1594440948d046112a5ca28.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rovikibixu/invoice_format_cdr_file.pdfIn PDF document text
    • https://s3.amazonaws.com/woneketelak/dodulajozunobajufivatutu.pdfIn PDF document text
    • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_e0755a5b7dc74d46bea77cb8d23453a7.pdf?index=trueIn PDF document text
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_3dfc3a8a14d648c490ce68c906a2fb8c.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d33e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD33E 5696 bytes
SHA-256: 3d829dd91d9b5b3caa724c15d9ae106be41a4b1ea94f7fd89d4319d0ecba2a4e
font_01_sfnt_off0000e6b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6B8 10228 bytes
SHA-256: e37f136d6967f4a67d70b50619cfd60c2729cf5399911585c86f749177723b64

Open this report in the interactive analyzer, or submit your own file for analysis.