Malicious PDF — malware analysis report

Static analysis result for SHA-256 14eb13ca094fa842…

MALICIOUS

PDF

86.0 KB Created: 2021-04-07 00:10:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a13445d3d3f334999fa11daf6712482f SHA-1: 67132dfb408979cdba6a0fee43fd30c2f461d414 SHA-256: 14eb13ca094fa8427cc014fbfe619a5555228de815adf8040000fc3e3f2127d1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on dynamic DNS services, indicating a link farm designed to distribute malicious content. The ML classifier strongly flagged this PDF as malicious. The primary malicious URL identified is https://lozipotod.ru/123?utm_term=beauty+plus+apkpure+old+version, which is likely used to host or redirect to malware. No scripts were extracted, but the PDF structure and numerous external links suggest an attempt to trick users into downloading further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=beauty+plus+apkpure+old+version
    • http://leketeko.22web.org/69094816420.pdf
    • http://jakivuxevova.22web.org/sufupotetonodifo.pdf
    • https://domilejoxu.weebly.com/uploads/1/3/4/5/134529458/3055e41.pdf
    • http://repair-planshetov.ru/zigonaximesef3itdp.pdf
    • https://bosevexoliwi.weebly.com/uploads/1/3/4/5/134585498/6b72cfc8459.pdf
    • http://italystore.pro/nurabodugajikorilosofarok5knq7.pdf
    • http://dikuziropuviv.22web.org/83782965664.pdf
    • http://towibukawit.22web.org/anisositosis_adalah.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://66166ed5-207d-48ad-a5ac-83b7e977862f.filesusr.com/ugd/0d0d42_86dd6b86f6c2443b8953915411cde9a2.pdf?index=true
    • http://tidegofavinugaw.epizy.com/chrome_app_launcher.pdf
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_e1426559753340deb07e11ab19af65c6.pdf?index=true
    • http://zuvemodu.rf.gd/sixinexitovulimebu.pdf
    • https://s3.amazonaws.com/lixisariwulo/54177731461.pdf
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_3a70e8c04abf41de911fa6e836a06c5a.pdf?index=true
    • https://s3.amazonaws.com/sojenozap/que_es_un_caballo_de_troya_en_informatica.pdf
    • https://s3.amazonaws.com/buwosevax/oracle_pl_sql_concatenate_strings.pdf
    • https://983c8978-ad56-435f-a988-47358aa6040c.filesusr.com/ugd/06a663_a201cea5ae9b41d8a12102fc1e65b361.pdf?index=true
    • https://d09251a9-b09e-4077-8ccb-24037f005f7b.filesusr.com/ugd/a6ce17_3dabf367bfba41a3b14079992ffa8a29.pdf?index=true
    • http://mifisabewup.epizy.com/gowud.pdf
    • http://rajokonola.epizy.com/bekhayali_song_for_status.pdf
    • http://gujitijeko.rf.gd/34016919832.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa00.bin
abdfe70020f0da7235c86dc25dff35bdc84838f657fe9956c65b8c1df9eb04ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA00 5228 bytes
font_01_sfnt_off00010be6.bin
298655db756d5322f5b884003699bcf8e661fcc2c880710b55b2714781571379		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BE6 11532 bytes
font_02_sfnt_off00013388.bin
4166f4fd6b5f9cbcc316ee09d4e3513fcbf3da4bdb7825550f5998bdc062fdbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13388 16540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.