Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fb15ecb2c7b8ed6…

MALICIOUS

PDF

82.9 KB Created: 2021-02-26 15:05:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 433b0a7bee3283814c5073ad975e96d6 SHA-1: 3b63e130793a4d58f1e8396fe8ca907fae5985a6 SHA-256: 1fb15ecb2c7b8ed6f8e72175bc77d69a82fb00a564903c957fd6db3bece021e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' suggests the document is designed to host a large number of external links, pointing to a potential phishing or malware distribution scheme. The presence of multiple unknown-reputation URLs further supports this, with the primary URL being 'https://kuzutuzo.ru/strik?utm_term=excellence+punta+cana+room+types'. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=excellence+punta+cana+room+types
    • https://cdn.sqhk.co/kolazapikib/dv7gfgg/imdb_movies_2019_download.pdf
    • https://cdn-cms.f-static.net/uploads/4484118/normal_6015ec33c1610.pdf
    • https://cdn.sqhk.co/wifenepomojo/fu60hdq/kawokuvimudagilabezoluni.pdf
    • https://cdn.sqhk.co/jimavidozeze/jwjbgcG/island_in_the_sun_chords_ukulele.pdf
    • https://cdn.sqhk.co/lafuwexale/s1dgegj/gedadoba.pdf
    • https://cdn.sqhk.co/kobamebexog/ghjh0he/wind_spinner_won_t_spin.pdf
    • https://punuvenow.weebly.com/uploads/1/3/4/4/134445800/weforeridak.pdf
    • https://cdn-cms.f-static.net/uploads/4408881/normal_603747c26caa8.pdf
    • http://x-bionic.shop/gezekete6pqxq.pdf
    • https://cdn-cms.f-static.net/uploads/4465949/normal_602e6a3d59517.pdf
    • https://siwelizotelet.weebly.com/uploads/1/3/1/4/131437983/kibenupejamefak-luwinuna-gaxuzoxire.pdf
    • https://cdn.sqhk.co/feluxolid/eNxjbjd/todazepafowogezikafi.pdf
    • http://jalazekesofijot.medianewsonline.com/70015622784.pdf
    • https://gemiletux.weebly.com/uploads/1/3/2/6/132681217/9852895.pdf
    • https://towowiwegopute.weebly.com/uploads/1/3/4/0/134019464/zuvulonadotaze.pdf
    • https://cdn.sqhk.co/wukatigubo/gd1qhjR/real_craft_mod_for_mcpe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://dakafatuvuguviz.atwebpages.com/games_to_play_with_4th_graders_on_zoom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edef.bin
282f83d0d60058b38b336e634da764e773fa7d01c86c0f43c0161739672667ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDEF 2968 bytes
font_01_sfnt_off0000f896.bin
7b93147967545693d3f0a743171edcc3ceaf163da8aa54af181d553551b3d158		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF896 5040 bytes
font_02_sfnt_off000109a2.bin
9e3f6b6d6fcc3211f40f59be88c29f408b3b0753b22bcb0c5fe36ee2b9357766		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109A2 11224 bytes
font_03_sfnt_off00012f87.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F87 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.