Malicious PDF — malware analysis report

Static analysis result for SHA-256 2311ebfe031438dc…

MALICIOUS

PDF

75.4 KB Created: 2021-03-16 13:14:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64a5dee39ab20f88cca46e1511c1557c SHA-1: 5dc350da86ec3f28bb5f51fa3af5f9b5c93d9826 SHA-256: 2311ebfe031438dc1c2e8f9310f9b811d6bf1b28fd804e99fe1f50ee7ac1dff8
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains numerous external links, characteristic of a link farm or phishing lure. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document likely prompts the user to install a browser extension or update, a common tactic for credential theft or malware delivery. The presence of multiple external URLs, including one pointing to 'seumenha.ru', suggests a phishing or malicious content distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=unblocked+stickman+games
    • http://tuzogat.sportsontheweb.net/zamafik.pdf
    • http://xovuwowim.mypressonline.com/suzokuja.pdf
    • http://wuxevonatot.iblogger.org/wijikinomelovigupa.pdf
    • https://static.s123-cdn-static.com/uploads/4418583/normal_5feeef346c1b3.pdf
    • https://static.s123-cdn-static.com/uploads/4474450/normal_5fcf665662de2.pdf
    • https://cdn-cms.f-static.net/uploads/4497658/normal_5fd1c1d7c920f.pdf
    • http://vijufik.iblogger.org/mobifufoverukekoworifi.pdf
    • https://static.s123-cdn-static.com/uploads/4379384/normal_5ff8cdfca9086.pdf
    • http://lalikexitaxixix.getenjoyment.net/gakazuneripelomoveze.pdf
    • https://static.s123-cdn-static.com/uploads/4366367/normal_600649185b047.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d766cab6-778c-4542-9b30-571ffd806556/31221258447.pdf
    • http://molutuganum.epizy.com/32836176546.pdf
    • https://ef9d90ca-5811-4a1c-810e-75bcfae60121.filesusr.com/ugd/a33af7_0e36c41deab248eaaa9fb9ea52de082d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8ca83c73-4b4f-43e7-981f-7a590b95f7e8/the_bloody_chamber_by_angela_carter.pdf
    • https://07e0a16e-b77d-475b-b724-88bbaedb347c.filesusr.com/ugd/8e9e2f_c270ddf885ac42b9b622bf27e44e0b13.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eb1bb7d1-f9b2-4941-8b5d-cc22a41db693/nusine.pdf
    • http://dapuzuro.epizy.com/64941795565.pdf
    • https://cc652f91-b1ab-470c-b36f-46d838ef85b2.filesusr.com/ugd/fbccce_a0b0cd21643d425fa558f67cf1fe8dec.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9b31bb94-72df-4ba8-80c0-033e301e78ee/tejitiwewim.pdf
    • http://lesasesodimavun.epizy.com/chitra_kannada_movie_video_ing.pdf
    • https://uploads.strikinglycdn.com/files/01127f2f-619f-43f3-a8c5-b6f6dcd9b24a/zorolapib.pdf
    • https://uploads.strikinglycdn.com/files/548689d6-ed9a-41e8-bc1e-fa02c0d394c0/25769555150.pdf
    • http://retiziwo.myartsonline.com/nosenil.pdf
    • https://uploads.strikinglycdn.com/files/1fd10ac6-727b-4fb7-a9d3-5f33de6e19f0/the_language_of_composition_2nd_edition_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e92a.bin
4fa096ee627ee7dade35331ab75a1df903b727cc131a7a2125f4504c697bc668		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE92A 5356 bytes
font_01_sfnt_off0000fb53.bin
edcfc4b664fafe5184567d529c827b29c7790acf808bb9c95453fd00321ceb2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB53 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.