Malicious PDF — malware analysis report

Static analysis result for SHA-256 254a3f82e2c184a3…

MALICIOUS

PDF

86.1 KB Created: 2021-04-25 15:37:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 025739693d37c0dadef31df1cf43d915 SHA-1: 5f4dfffcd7e874c06a5a172822842871fc2fa3b7 SHA-256: 254a3f82e2c184a350b6ed1261fee55567522a016140ce2325d7f416a292769e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to a link farm hosted on 'resalured.ru'. The document body, though heavily obfuscated, contains text related to chemical reactions, suggesting a lure to disguise the malicious intent. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of it being used for malicious purposes, such as distributing further malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+do+you+know+if+a+redox+reaction+is+acidic+or+basic
    • http://fulifubajamo.mywebcommunity.org/ittf_table_tennis_score_sheet.pdf
    • http://vowewudimo.mypressonline.com/schaum_s_outline_fourier_analysis_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f3e7c7bd-4a66-413c-aa11-f74d1f7c1d53/97685958638.pdf
    • https://uploads.strikinglycdn.com/files/9e8c59eb-082b-4ed0-8646-7b403937f040/how_to_connect_hikvision_dvr_to_internet.pdf
    • https://uploads.strikinglycdn.com/files/61a6f661-a154-493c-aece-2d91e53e9eae/62766679091.pdf
    • https://b8f7bc2e-5f90-466c-a76c-b8215bfdb3ae.filesusr.com/ugd/9717d9_1c38dbcce2ff403581587b0c1f3cc1e0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/035523f0-db8c-420d-927b-fdff16060a69/deadweight_loss_practice_problems.pdf
    • https://uploads.strikinglycdn.com/files/6e126ebc-2f04-43a6-8a87-2141018c195f/what_are_the_differences_between_books_and_movies.pdf
    • https://7980b0ff-2efe-48f4-a442-6c87bca80713.filesusr.com/ugd/9bd8c3_ed9628a2315f42518922332c981c71c7.pdf?index=true
    • http://vujuvisesakok.myartsonline.com/honda_gcv160_pressure_washer_not_building_pressure.pdf
    • https://uploads.strikinglycdn.com/files/4e32e206-574d-44fe-a771-e85d3e0e5804/what_can_you_do_with_a_masters_in_engineering.pdf
    • https://uploads.strikinglycdn.com/files/d50d5ef1-6ae4-422a-b9dd-093ace22fe23/wendler_5_3_1_program_results.pdf
    • https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_c33b462fe94543498a3004dae512d437.pdf?index=true
    • https://6b551870-9d71-4c88-87ac-30bafd697196.filesusr.com/ugd/b27e13_db7fa42fa4dd4e4ab719a858475182c8.pdf?index=true
    • https://3b0fe5ff-7f86-489c-8138-fc984e51136c.filesusr.com/ugd/bfd78a_4652339c08e2465b9462ff8331e22c00.pdf?index=true
    • http://sipanokule.onlinewebshop.net/medical_records_policy_and_procedures.pdf
    • https://40e214c1-1950-44e8-a195-e2c6eeb23253.filesusr.com/ugd/a517f4_b9c997557d624e33a6b6c3a98914a51e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc1ab3c4-36e3-40b5-8ca7-1fea8c80a9ab/appion_g5_twin_rebuild_kit.pdf
    • https://80f75f89-a1e3-4611-a0ef-7a704eb82da9.filesusr.com/ugd/0286dd_759b6beb0c9f46ce8c817910a688d684.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d97e1bd9-7535-4b5b-8888-952839fffee8/what_is_the_phonetic_alphabet_uk.pdf
    • http://pupagerirawax.myartsonline.com/cisco_career_path.pdf
    • https://uploads.strikinglycdn.com/files/67ff4c22-78a1-4411-8b9a-b9f78f70fed3/kabodejuzivuzegojabugamoz.pdf
    • https://uploads.strikinglycdn.com/files/8d7ab920-a3d6-4a29-ad02-edf1fae248b5/sekovo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb4f.bin
efb0529ccebe683724e5b58b0b69538f1d489030b126467d713b7677994f4b68		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB4F 5408 bytes
font_01_sfnt_off00010de0.bin
eac6b45c0bd62655768e55ca88cc6646790a9f33c6207ee1a05318e21e636383		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DE0 11552 bytes
font_02_sfnt_off00013583.bin
01e49661dbdd7b4823267156d85e4b6ddc25a6de2ac0af4d78c137cfa2b371b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13583 16100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.