Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cacecc850b012be…

MALICIOUS

PDF

83.6 KB Created: 2021-04-04 21:15:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e999faeacacd17899c47c398899821b0 SHA-1: 4f600839a1143081aa6831324509410552b84778 SHA-256: 2cacecc850b012bebda99936b09d44a3305702db4c24a027b236292cf3f3ccb6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The document contains a large number of external links, many of which point to SEO-optimized PDF files, suggesting a link farm or content-scraping operation. One of the primary external links is to `https://lozipotod.ru/aws`, which is likely the malicious payload or phishing destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=do+new+gas+furnaces+have+pilot+lights
    • https://sagurofabe.weebly.com/uploads/1/3/4/6/134686650/6499288.pdf
    • http://quickpapp.online/11616854959ziomt.pdf
    • https://cdn.sqhk.co/vomuvojovi/ggjwhdi/there_you_go_again_phrase_meaning.pdf
    • http://biggymstoe.com/wordly_wise_3000_book_5_lesson_1102aik.pdf
    • https://cdn.sqhk.co/xogovofofi/hfhfZbM/wings_financial_near_me_now.pdf
    • http://visionnew.xyz/whatsapp_video_call_1_hourk8z42.pdf
    • https://cdn.sqhk.co/sugefixa/jjrG8hb/65976437852.pdf
    • https://mafinejolid.weebly.com/uploads/1/3/2/6/132683008/pufobidilami_zugebi_jawamezagixobix.pdf
    • https://cdn.sqhk.co/sazipuvaxiv/egcjgNO/jet_boat_engine_sound.pdf
    • http://5coupon.info/how_to_prepare_for_a_fine_dining_interviewxqqdl.pdf
    • https://podogavefa.weebly.com/uploads/1/3/1/4/131438056/vitaluzapinemelive.pdf
    • http://easterthjg.com/801357245023r9hi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4e3aefd3-aa9d-4956-ad05-73f4d047bccf/what_are_the_drawing_fundamentals.pdf
    • https://uploads.strikinglycdn.com/files/137134ca-ef69-4942-a70c-5d946b01bd05/gukawirixugerisu.pdf
    • https://uploads.strikinglycdn.com/files/80cbae6b-a31e-4260-9e0c-410a76a28a09/jafurusurikujogalegudar.pdf
    • https://uploads.strikinglycdn.com/files/629d13ea-2aac-4a05-a898-cbd32a11b782/graco_ultra_max_ii_695_instructions.pdf
    • https://s3.amazonaws.com/jeworurowam/52796468062.pdf
    • https://uploads.strikinglycdn.com/files/ce5d651d-d9d9-4f8b-b58e-7cec1cfe72a9/32262048407.pdf
    • https://uploads.strikinglycdn.com/files/0b3cb6b6-7c8d-42a0-abaf-01c5acedf0df/le_petit_nicolas_characters_movie.pdf
    • https://uploads.strikinglycdn.com/files/d4257922-4c42-46be-8035-3dfe520da482/87666145052.pdf
    • https://s3.amazonaws.com/toliwudalamem/mapumabizugaxavoloketuf.pdf
    • https://s3.amazonaws.com/dumupa/performance_review_in_covid_19.pdf
    • https://s3.amazonaws.com/lofese/overtime_pay_dole.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010bff.bin
d05529b40f1658824862ff82b35d4937783e8ea011601a311090780aa69c08b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BFF 5428 bytes
font_01_sfnt_off00011ea1.bin
13e7c145b55135a562b73c5ebd2647e7f90143132790f488d2d63ce3eeba19cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EA1 11720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.