Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c659200ab892be5…

MALICIOUS

PDF

97.6 KB Created: 2021-05-09 00:12:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 713462ca2d5aaa6d48d53f39a5b954cf SHA-1: 87517631ff3138c10d52b53339a9c7d8387345d9 SHA-256: 2c659200ab892be55b034cd84e33222055f52d8f729c0ea59c129644e0751504
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms or phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly indicate a phishing or malicious intent. The embedded URL 'https://seumenha.ru/strik?utm_term=how+to+double+jump+in+breath+of+the+wild' is likely the primary lure, directing users to a potentially compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=how+to+double+jump+in+breath+of+the+wild
    • https://cdn-cms.f-static.net/uploads/4470836/normal_60183fe655d0f.pdf
    • https://cdn.sqhk.co/fepogosu/7ZRUicF/business_process_management_powerpoint_presentation.pdf
    • https://cdn-cms.f-static.net/uploads/4483103/normal_60214e90b67af.pdf
    • https://static.s123-cdn-static.com/uploads/4494435/normal_5ff37f7713054.pdf
    • https://cdn.sqhk.co/zutijujes/qbPkujf/dikarevaxofavivirixa.pdf
    • https://cdn.sqhk.co/kibizatududo/Bhdjf9s/89560772513.pdf
    • https://static.s123-cdn-static.com/uploads/4389794/normal_60084f1b0adb5.pdf
    • https://cdn-cms.f-static.net/uploads/4381529/normal_60503a557e347.pdf
    • https://cdn.sqhk.co/navimoxa/4heiilp/52494456051.pdf
    • https://static.s123-cdn-static.com/uploads/4366959/normal_5ff7db73ee17e.pdf
    • https://cdn-cms.f-static.net/uploads/4412902/normal_602d69c0dd774.pdf
    • https://cdn-cms.f-static.net/uploads/4448323/normal_60518bc37550b.pdf
    • https://cdn.sqhk.co/rabataxuvax/iWXo2gc/i_wish_you_love_lyrics_ann_sally.pdf
    • https://cdn-cms.f-static.net/uploads/4387037/normal_6032f0764e79a.pdf
    • https://cdn-cms.f-static.net/uploads/4407998/normal_604d8bad2fd7d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b9a4378c-e06a-4f0b-a3c9-98c0efa7e191/how_to_invest_on_coinbase.pdf
    • https://d45380bd-a93d-4ef2-b2bd-4c7806d1f6db.filesusr.com/ugd/5d2cf3_313084def2874f7394df44cfd2e19522.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fe1259af-baef-4ff9-bd14-f25305904c6c/the_social_life_of_small_urban_spaces.pdf
    • https://uploads.strikinglycdn.com/files/175ad094-477b-456e-b827-97c89bd174eb/noxulewawatiziwedogak.pdf
    • https://4cf6c2b4-cd84-4b73-83b1-bf7f441162b2.filesusr.com/ugd/e50c99_ef416df50feb4233a60149c41a59eade.pdf?index=true
    • https://bbfcab69-cab0-43b8-b861-839d52945da6.filesusr.com/ugd/fa71eb_69a02cb920f74eee926cc1d0c181b65c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f4231b0f-344a-40eb-b737-4d19bc29ddfa/cyberpunk_ps4_pro_performance_reddit.pdf
    • https://uploads.strikinglycdn.com/files/250f0ee2-9808-437f-81f2-72883155e428/24984279375.pdf
    • https://0bc2ebcf-5b85-435c-8290-6c6350a165f2.filesusr.com/ugd/ee98f5_54f11e444f274f4da4eebe65315ad39a.pdf?index=true
    • https://200c4c3d-185b-4246-b99f-f40cd7065c99.filesusr.com/ugd/3ed902_99676b7a20b04a04b2d4b288d7c906f7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e47.bin
b3dfb2f2c41da7350fc3755141d2fd0ea5796bb125df25fec831093623ff73df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E47 2900 bytes
font_01_sfnt_off0001288a.bin
2ca1286886411db24c170d42cbf6c5b5390ec874a8a28bddf2668445b4ed7db2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1288A 5372 bytes
font_02_sfnt_off00013ab0.bin
9fbae99e4a6da776f68d058266d0b0660fbf04c36905d6598979e2015e604d97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13AB0 12100 bytes
font_03_sfnt_off0001634d.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1634D 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.