Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b08f5f3161369ba…

MALICIOUS

PDF

97.4 KB Created: 2021-04-01 14:02:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9581cb87a8979bebbaf50770b1c77ef SHA-1: abfa97b66cae003c007dc62d82fdfa39978f8507 SHA-256: 3b08f5f3161369ba1c59142a895bc7ccaac4e6452fa7438d53f16164746f6975
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used in SEO link farms to manipulate search engine rankings or distribute malicious content. One prominent URL, 'https://soxebez.ru/wix?keyword=goodgame+empire+hack+v2.4+free+download', suggests a lure for users seeking game cheats, which is a common phishing tactic. The ClamAV detection and ML classifier further indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=goodgame+empire+hack+v2.4+free+download
    • https://cdn.sqhk.co/lazujanaziri/gfSijha/tumblr_app_not_loading_images.pdf
    • https://cdn.sqhk.co/javomekoru/ehidaMK/account_technology_strategist_salary.pdf
    • https://cdn.sqhk.co/mevexobuzur/jjggeJn/triomino_color_amazon.pdf
    • https://cdn.sqhk.co/zikufivol/ghOjhUa/zulefike.pdf
    • http://zadidibupinumav.22web.org/konaredovoku.pdf
    • http://xojopimo.22web.org/60166482672.pdf
    • https://cdn.sqhk.co/wirowanorax/xhfjgoY/limejukepebi.pdf
    • https://cdn.sqhk.co/mokavokaven/I8jiD8f/wizz_air_fleet_plan.pdf
    • http://zolidunepojew.iblogger.org/dowijoxeresa.pdf
    • https://cdn.sqhk.co/xufatirumina/gdidje3/movimientos_articulares.pdf
    • http://moxolesapudeli.22web.org/35804699447.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://02aee961-309f-4c8b-9790-08f12c26706e.filesusr.com/ugd/8321db_154e9d300ba7402c9088259e1defbda9.pdf?index=true
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_95d87f6f68514568bc97e82f55966fa5.pdf?index=true
    • http://misopepiwabaju.epizy.com/tecnologia_educativa_julio_cabero.pdf
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_d4d14809077f4f9baab6f72bfdb1f312.pdf?index=true
    • https://57fc24c6-ba7c-430a-bdae-05304608b610.filesusr.com/ugd/bc9c68_7db083e1cd4f4d04b998a01eae8252af.pdf?index=true
    • https://a86b13d2-a9ad-4039-ad74-10d2f7332aba.filesusr.com/ugd/6e2451_3db894558f5f40c3812c6ab4077bd518.pdf?index=true
    • https://30b7a97f-6117-4fff-8876-4b3c2220b6c6.filesusr.com/ugd/15cd4d_67ec24fb5eaf4de0a956ea021b100d30.pdf?index=true
    • http://femasusatatovet.epizy.com/chemistry_form_4_chapter_9_alloy_experiment.pdf
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_d716a15bfdd8475b96d2b27b135ef525.pdf?index=true
    • http://wonetone.rf.gd/american_pie_sheet_music_free.pdf
    • http://jenulozamaberur.epizy.com/62824845297.pdf
    • https://ecab545c-19d2-4654-b6ac-fb8b9749f5ba.filesusr.com/ugd/e5412a_67a79ae2e46f4649814fb13830d2f9ee.pdf?index=true
    • http://molitumulejoji.rf.gd/ankle_sprain_exercises_arthritis_uk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00015d05.bin
f92aefe021883a7218e0cf26ee53e91224ca76fb9a67038f0a6adac2e61a2851		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15D05 18044 bytes
font_00_sfnt_off000123c2.bin
c61ff522dd7577c5741cd4be06db9241f4f0d26ae666127af90e4be31a550362		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123C2 5892 bytes
font_01_sfnt_off000137d5.bin
6eb96e3defdf7644a15e19386e492ba4c2a5c76c3dd38f225d603c6f5aca4238		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137D5 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.