Malicious PDF — malware analysis report

Static analysis result for SHA-256 0653eae4868172ac…

MALICIOUS

PDF

80.4 KB Created: 2021-03-17 22:37:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 2de23f06dadf0723f7386b4d0e0c5c7b SHA-1: ccb1bbb9079c5b897f1eb29f783c53a106da5b2e SHA-256: 0653eae4868172ac95c23273362964362e102573bcd43180a4621e59db0be4b9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by ClamAV and an ML classifier. It contains numerous external links, with a critical heuristic flagging it as a PDF link farm. One of the primary URLs, 'https://mezovuduw.ru/wix?keyword=assured+muscle+rub+while+pregnant', suggests a potential phishing or spamming attempt, likely to drive traffic to SEO-optimized content or malicious sites. No scripts were extracted, but the PDF structure itself is used to host these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=assured+muscle+rub+while+pregnant PDF link annotation
    • http://korecos.ru/703208383755x09u.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482619/normal_60084dc27f925.pdfIn PDF document text
    • http://itfamily.pro/55634887643w7rva.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452862/normal_5fc6ae9f3637c.pdfIn PDF document text
    • http://bloomwithdeanna.com/vertical_corresponding_alternate_angles_worksheet6p22a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445104/normal_5ff3614722162.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4379231/normal_5fe31ba89d122.pdfIn PDF document text
    • http://cabinetsly.xyz/62563894475xj08b.pdfIn PDF document text
    • http://znalomstvavip.site/historical_events_1900_to_1920dn4tj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6d9a01b-1914-4a02-b99c-8e7e1733671c/what_does_it_mean_when_the_thermostat_says_override.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07151587-2690-4564-93e3-83b8daf77182/kelelamoka.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2103a5d1-a0ec-4982-a691-f70f50234ee2/e-myth_revisited_chapter_summary.pdfIn PDF document text
    • https://s3.amazonaws.com/ritoma/esl_reading_comprehension_test_with_answer_key.pdfIn PDF document text
    • https://s3.amazonaws.com/kigavanus/centrelink_forms_mod_p.pdfIn PDF document text
    • https://s3.amazonaws.com/timituvupame/87549402509.pdfIn PDF document text
    • https://ec75ba9f-29a7-4b73-bb51-4c951d20089f.filesusr.com/ugd/17cde0_aa0e325978034a519e09a26451289d87.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/risalenefazozo/t_shirt_png_free.pdfIn PDF document text
    • https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_48215b95cf0e453382889c6deeaec48b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bupesejirijejus/festo_pneumatic_valves.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9a3df9b-275a-4cb3-b6cd-e60f279bf55e/how_much_do_electrical_engineers_get_paid_in_south_africa.pdfIn PDF document text
    • https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_cf1a8037e1c245afb68de6c49f1d437a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bed1ff7e-4b96-4407-8516-7709807f992c/wexiwivusorubutoxo.pdfIn PDF document text
    • https://s3.amazonaws.com/jevopemosod/pesibarip.pdfIn PDF document text
    • https://s3.amazonaws.com/wulagisi/77004373534.pdfIn PDF document text
    • https://s3.amazonaws.com/fadedosi/99452118907.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f947.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF947 5708 bytes
SHA-256: 80abb6b617068e9c5177f61169b5dcd57413e93ddbae155fc13c892c3e5cb8f0
font_01_sfnt_off00010c8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C8F 11540 bytes
SHA-256: 850fc7777b30fee915daf1b1c22979746faabf7d27abed0dc287a722e08b44d9