Malicious PDF — malware analysis report

Static analysis result for SHA-256 272e79ea2abfcc9d…

MALICIOUS

PDF

79.9 KB Created: 2021-04-02 08:13:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1628c8a997ab0fca571ce374767560b4 SHA-1: ae4e265b3cde6debec55abd4f0c5946e65f96daa SHA-256: 272e79ea2abfcc9d86784e796a688a7920a709a28f3242a804400abc0d9b4f53
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware distribution attempt. It contains a large number of external links, many pointing to PDF files, suggesting a link farm or SEO poisoning tactic. The primary malicious URL identified is https://xezojetit.ru/wix?keyword=things+fall+apart+questions+and+answers+chapter+1-13, which is likely used to redirect users to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=things+fall+apart+questions+and+answers+chapter+1-13
    • https://cdn.sqhk.co/petebodok/HifsigA/25180631407.pdf
    • https://cdn.sqhk.co/savunowudob/gd4Cpha/83540646885.pdf
    • https://cdn.sqhk.co/xawowatu/GriaXuM/usher_top_songs_youtube.pdf
    • https://cdn.sqhk.co/zizenozi/gdGiihb/common_cold_pathogenesis_slideshare.pdf
    • https://cdn.sqhk.co/liguzalat/jeIhf1H/91823296234.pdf
    • https://cdn.sqhk.co/tuwovado/jhQdgcU/tsspdcl_jpo_previous_question_papers_with_answers.pdf
    • https://cdn.sqhk.co/zojudaje/hfUzjfr/lapebepofefixawefodu.pdf
    • https://cdn.sqhk.co/fabetojowuje/jfibOuN/68070879256.pdf
    • https://cdn.sqhk.co/pobumepova/fgTUhdc/war_card_game_java_source_code.pdf
    • https://cdn.sqhk.co/gowexenopa/jajjjeS/dumudotov.pdf
    • https://cdn.sqhk.co/fisoxinizo/ijiAhgh/18425351718.pdf
    • https://cdn.sqhk.co/zavilisuga/hghe5ha/85221296488.pdf
    • https://cdn.sqhk.co/vumuwuxa/Ohgeyje/value_of_national_geographic_magazine_june_1985.pdf
    • https://cdn.sqhk.co/supetudoti/vujfhfF/8605434008.pdf
    • https://cdn.sqhk.co/texonatuzi/GQjayij/dental_assistant_salary_australia.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ae8c1479-5121-4009-b0ed-8259dbb1205b.filesusr.com/ugd/0aff45_9ca5d07cf89f4054ab504959f93cb869.pdf?index=true
    • https://7f1d4f38-7308-4051-b389-b8ed31312188.filesusr.com/ugd/e948c1_f614709ad03b44cea731984f891805da.pdf?index=true
    • https://ac3db616-04cb-40f1-8357-c67041f5e20c.filesusr.com/ugd/eda9ba_9945e4d758314bffb30e4d141a5131cc.pdf?index=true
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_b5cb22156bb94e55b5669bd88784c24e.pdf?index=true
    • https://a2fe464c-28d1-4db8-bb2d-552ad9bc2f4d.filesusr.com/ugd/941bb1_440e2388f73a4d42b6c5ba641d5b563a.pdf?index=true
    • https://9c43cb74-45e3-47de-9527-fda2e8336169.filesusr.com/ugd/af0aa9_b72c10e9126e420298f77837f4b47d47.pdf?index=true
    • https://4e33067b-0f13-4bed-bb9c-ea95f768fd7c.filesusr.com/ugd/23924c_4e1cb02593c54f3f9ef0f65d0abb370a.pdf?index=true
    • https://61069a5e-3c5f-4884-a3c7-8c7552058b74.filesusr.com/ugd/0789d5_3eec3b4d56a44ba29923f735abe0fb6d.pdf?index=true
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_049ca5f6bc6d42408e7a40c4b3d25b80.pdf?index=true
    • https://fdb4f28e-c637-431f-967d-457feef73efb.filesusr.com/ugd/cf5aa9_c53804db37f14d85a3fc8d6001cce89e.pdf?index=true
    • https://68fdcf0a-b1f0-4758-9edf-48d2be6d990b.filesusr.com/ugd/ac51ce_6628755b6f134b9287ba6ca10365b5be.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f972.bin
eede9ac5cb4818a6d690ea617a7e3e2c54e42095eb7d9cfd60852d35d2041421		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF972 5832 bytes
font_01_sfnt_off00010d6a.bin
320f59f23baa6441db6707448fa949b599d1c327bc4db69314143dcc5857025c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D6A 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.