Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbe954a6c162d458…

MALICIOUS

PDF

90.7 KB Created: 2021-05-23 18:40:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d14b3f814e445ff8990db6539408dbeb SHA-1: 66ded14055842ef2ba707003a342b7d5cf700a67 SHA-256: fbe954a6c162d458ee75b7e0833ba54b620eaacf39233b8824b0476079fceded
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of external links, identified as a link farm, which is a common tactic for SEO manipulation or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded content, though heavily obfuscated, appears to be a lure related to 'fifty shades freed movie length' to encourage user interaction with the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vigoxanumevu.weebly.com/uploads/1/3/4/4/134466257/f790d0ab2c.pdf
    • https://menanotiji.weebly.com/uploads/1/3/4/3/134322389/batomop.pdf
    • https://cdn-cms.f-static.net/uploads/4408996/normal_601f9a0d2a033.pdf
    • https://kumobavubisu.weebly.com/uploads/1/3/0/7/130775432/a86ba86634f.pdf
    • https://cdn-cms.f-static.net/uploads/4416940/normal_605042fab9b2f.pdf
    • https://susokeruno.weebly.com/uploads/1/3/4/6/134656617/pemozetegetezo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/dN4lCoxrs6M/wb?keyword=fifty%20shades%20freed%20movie%20length
    • https://uploads.strikinglycdn.com/files/2ce14354-e4e7-4874-a555-ea162ea67f67/xisalulefe.pdf
    • https://s3.amazonaws.com/fuwuzerijofa/depodefasufiv.pdf
    • https://s3.amazonaws.com/fosalizuzu/26776119899.pdf
    • https://s3.amazonaws.com/minabiwa/how_to_reboot_a_motorola_phone.pdf
    • https://s3.amazonaws.com/xijilesuzuxo/2007_mazda_cx-7_reliability_rating.pdf
    • https://s3.amazonaws.com/luramamelolem/xedagija.pdf
    • https://s3.amazonaws.com/dedinavesute/39659169307.pdf
    • https://uploads.strikinglycdn.com/files/6730980f-8011-4114-a4f1-5ed8de18f1a8/16395331960.pdf
    • https://uploads.strikinglycdn.com/files/3e0b705e-d886-4d14-804f-0b567c425ce2/ms_all_del_sol_letra_y_acordes_joan_sebastian.pdf
    • https://s3.amazonaws.com/padosumifubobo/44126761114.pdf
    • https://uploads.strikinglycdn.com/files/57cab3ba-66a1-43a5-9fea-23bc31d63dc9/elementary_english_speaking_questions.pdf
    • https://uploads.strikinglycdn.com/files/f93ecb8e-75d1-415b-9fe9-6e6dc6b65fe6/dagadalulixevisejabolesor.pdf
    • https://uploads.strikinglycdn.com/files/c41309ca-a501-4e80-9405-d256fae5abdd/armitron_40_8254_replacement_band.pdf
    • https://uploads.strikinglycdn.com/files/c84c1a2f-36ba-45c1-ad27-8f8350b60e37/suxabetumo.pdf
    • https://s3.amazonaws.com/tobobowu/45238966806.pdf
    • https://s3.amazonaws.com/dowadotiju/english_grammar_worksheets_common_and_proper_nouns.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012252.bin
c328262bb23e94ce7c97fd7509691d268eee9d63d4b330163815d3dca886a888		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12252 5436 bytes
font_01_sfnt_off000134be.bin
c83e2e5bd5705d8b6e5e99f27534835050a00f84e955f0abd70c0955e3e7d024		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134BE 12456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.