Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d581d80a581429b…

MALICIOUS

PDF

75.1 KB Created: 2021-03-07 11:16:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d30e7f6f48b900aeb4e4e6965ede9ccf SHA-1: baf0a0bf49b0ea7b21f6ad326573dcd033d1fc7b SHA-256: 2d581d80a581429b2f288f2ee7ba1ddc73a06a39fa30e456833e2995b2cc5fcb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results. The primary malicious URL identified is https://midufefew.ru/aws?utm_term=frigidaire+freezer+troubleshooting+manual, which is likely used to redirect users to malicious content. The ML classifier strongly indicated maliciousness, supporting the presence of these link farms and suspicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=frigidaire+freezer+troubleshooting+manual
    • http://nesorus.mywebcommunity.org/bukuvenanijotirilu.pdf
    • https://cdn-cms.f-static.net/uploads/4471484/normal_5fd0b3821620e.pdf
    • https://static.s123-cdn-static.com/uploads/4494661/normal_60049c243f625.pdf
    • https://cdn-cms.f-static.net/uploads/4410447/normal_6040eef01f023.pdf
    • https://cdn-cms.f-static.net/uploads/4419654/normal_6036ad2118192.pdf
    • http://pibarulajido.getenjoyment.net/cosco_scenera_next_convertible_car_seat_safety_rating.pdf
    • http://ruguwafe.scienceontheweb.net/36378707042.pdf
    • http://vegifeda.mypressonline.com/james_patterson_movies_on_amazon_prime.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6e0f1057-5973-4f31-b8c3-019d80f82416/91183126052.pdf
    • https://uploads.strikinglycdn.com/files/d5511685-fc3b-40a2-9f35-539698f98f75/google_chrome_flash_player_after_december_2020.pdf
    • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_fb639691bb8e4ca7a0c3b1691e5d3dcd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/614b2393-8e83-48ab-8c45-1c091a0af232/54644242847.pdf
    • https://ce3a146a-d504-4efb-981c-4593fb85d965.filesusr.com/ugd/5b5da7_c072d9a442ee4d879f180a18f9579801.pdf?index=true
    • https://36425c1f-c329-48aa-845d-1f8252cb45c8.filesusr.com/ugd/01d500_435086dae0144104bf0996845406016b.pdf?index=true
    • https://9e2bb560-353e-4f5d-a08b-1363560edab4.filesusr.com/ugd/6c032c_38e66fb7666a4c92aa8706732311bfbe.pdf?index=true
    • https://b1b0174c-961c-4936-87f6-765e1132391e.filesusr.com/ugd/6cf804_066ef916236d473c9351128451d90730.pdf?index=true
    • https://19508648-7f28-415f-8121-b57715dc1465.filesusr.com/ugd/9734e7_9c05885713cb420b81e133616b7ae423.pdf?index=true
    • https://uploads.strikinglycdn.com/files/58983f9c-29fc-4783-8191-b6fd43350bb1/topdog_underdog_critical_analysis.pdf
    • http://fiderifi.rf.gd/53877119618.pdf
    • https://uploads.strikinglycdn.com/files/749b24d2-9505-4f55-960b-fa4ad1f7e745/my_favorite_things_lyrics_kelly_clarkson.pdf
    • http://wasalesex.epizy.com/lotanorik.pdf
    • https://a49a6154-edc8-4132-95a2-c7bb8d673fe9.filesusr.com/ugd/551169_412a4d68d5da4d0faf4b3202d16c5140.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea2a.bin
1997bb9371f742e4edcb62827014b96f83f2d89600abfc3ef6ae1e291c32ea3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA2A 5464 bytes
font_01_sfnt_off0000fca1.bin
62a3f8e32d4ef2286273413eaaa3b9e6062880d3b0130fd78785960e5ad68c03		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA1 10032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.