Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc5d3a95598c7201…

MALICIOUS

PDF

79.4 KB Created: 2021-05-02 00:24:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aab46b2d7196076fc66e2f9f5c51d868 SHA-1: 9071bc4dc9f6155a782c037610caac0f1ca5a1c2 SHA-256: fc5d3a95598c7201e7c932027b0a2af8363923ea8cef683fa08ee28a23e52097
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical finding for a mass external PDF link farm and ClamAV detection as 'Pdf.Phishing.Trojan'. The embedded URLs and the document body, though heavily obfuscated, suggest an attempt to direct users to external, potentially malicious, websites. The presence of numerous links points towards a phishing or spam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=balzac+and+the+little+chinese+seamstress+themes
    • http://memisada.mygamesonline.org/wordly_wise_book_8_lesson_4_answers.pdf
    • http://sanogisiwelel.iblogger.org/denorefegidagibopojixaro.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nigukeja.epizy.com/5116385928.pdf
    • https://3437305d-a3f4-4f94-9a63-846dd410f5be.filesusr.com/ugd/ffe76b_80b89d0ee72d4526bcbf59588b9615a1.pdf?index=true
    • https://c18d7360-3707-4bf1-9d6f-52ba7510fa17.filesusr.com/ugd/76cb06_c3683f3a725b4bc9862ddafc6219e743.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc27c389-af93-472b-8c3e-fd0e26c20c9e/at_what_age_can_u_get_ssi.pdf
    • https://63b1f34b-4847-450f-8d9a-4788d10e1cf5.filesusr.com/ugd/451a43_17dec7d27621418b9a4bcd4d8ddfc405.pdf?index=true
    • https://66c7139a-03c0-45fe-98d3-e817d1e01442.filesusr.com/ugd/de2db5_c61d2e097dac473396de94ac6dd90a50.pdf?index=true
    • https://uploads.strikinglycdn.com/files/883318d6-7764-4b97-8a5b-4c3bbded9e95/75081894530.pdf
    • http://jukasuxoseki.atwebpages.com/automobile_engineering_books_download.pdf
    • https://uploads.strikinglycdn.com/files/9330cd3d-838e-4f71-a0d4-9d1c09ab1443/allworx_voicemail_number.pdf
    • https://5c71d6b4-13b5-43a2-97a4-9a0eba4d0f4d.filesusr.com/ugd/0f1814_7cafcc6de06946d080e8768b1f4ae2d3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f1c5863e-857c-45b4-bef7-d244eb6c3feb/paint_dot_net_make_background_transparent.pdf
    • https://uploads.strikinglycdn.com/files/44904f70-5313-4ff5-a889-ff26ac4b0c39/30970661611.pdf
    • https://5a98ae10-8c7e-48da-b83f-9bcbc644cfa3.filesusr.com/ugd/9a8764_e54ca09e81a043c8aa110334ba62f6c5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/648ebc35-f322-47dc-ad31-c5879b95cddb/35008762967.pdf
    • https://afa032df-bfad-47da-a9c8-c79260182993.filesusr.com/ugd/6f9b04_7697eb8cf4d347948660945e50607536.pdf?index=true
    • https://cb0508fd-2a1f-4901-a161-a76823ee8e4f.filesusr.com/ugd/52013e_ef10e13b50d543e6a07692a9609b3d7a.pdf?index=true
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_a28e2bad0f53409d9dd6ba7c57ff4d24.pdf?index=true
    • https://uploads.strikinglycdn.com/files/52f90702-4a8a-4954-9fe8-d3661b5980f3/pedufizamefiludasa.pdf
    • https://uploads.strikinglycdn.com/files/6caf2e81-eca8-4c1b-9f3a-8316569731ba/grade_or_standard_of_excellence_crossword_clue.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f905.bin
4681538f6be5f00dced14ecf5356e5b7ccb118f4da60982b35431ef684e910c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF905 5276 bytes
font_01_sfnt_off00010aca.bin
16b7a6b6a324fd5e9c23560287dbfdfe58be6d616f8b44c0f8b510ee70a7a011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ACA 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.