Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b8df73f06a9e141…

MALICIOUS

PDF

118.9 KB Created: 2021-05-19 16:46:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c928ffaf945a7dab496b3c83c42e07ab SHA-1: 2776627cc30e927f7b1cc03bafe8b535abf831c0 SHA-256: 3b8df73f06a9e14170b9269388df2e206e8240694347fa407d51e5a6df3fb6e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or link farm attack. It contains numerous external links, including one to 'xezojetit.ru', suggesting an attempt to redirect users to malicious or deceptive content. The document's structure and heuristic firings indicate it's designed to host a large number of links, likely for SEO manipulation or to distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9932

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=lakshmi+ashtothram+kannada+mp3+free+download
    • https://cdn-cms.f-static.net/uploads/4421613/normal_5fd27eb8d7980.pdf
    • https://cdn-cms.f-static.net/uploads/4464851/normal_600c0d83127c7.pdf
    • https://mimatetozolo.weebly.com/uploads/1/3/4/7/134707120/3221797.pdf
    • https://cdn-cms.f-static.net/uploads/4405950/normal_603c6b8a00b1c.pdf
    • https://panubawo.weebly.com/uploads/1/3/5/3/135337149/3710417.pdf
    • https://xejigidusulup.weebly.com/uploads/1/3/4/7/134730122/5ce5e.pdf
    • https://cdn-cms.f-static.net/uploads/4405409/normal_60406172d96da.pdf
    • https://cdn-cms.f-static.net/uploads/4379603/normal_6047167b0d364.pdf
    • https://xoxilorimisutoz.weebly.com/uploads/1/3/4/7/134705863/ninumoxirexagotezigo.pdf
    • https://bogogumufen.weebly.com/uploads/1/3/4/0/134018830/rakevalizilap_keradunefuf.pdf
    • https://dopovubejaxow.weebly.com/uploads/1/3/4/0/134017692/99608.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c05f7805-80ed-4a2a-b6b5-0e75b917e474/making_good_progress.pdf
    • https://uploads.strikinglycdn.com/files/68cce85a-31ae-4ff3-814b-645e9dd23326/76490236396.pdf
    • https://s3.amazonaws.com/lazolu/crazy_questions_siri_will_answer.pdf
    • https://s3.amazonaws.com/xotomisen/21628356456.pdf
    • https://uploads.strikinglycdn.com/files/ecc3d63f-52c7-4e99-8bc4-6d216a797c69/kubodapifibi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00013644.bin
5928ae6074bead5a530d0edbd5f9ed9e7fd21b91140d11e0b5a10ce59c481712		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13644 22556 bytes
font_00_sfnt_off00010d00.bin
6f69ff1dbfa8baf1092cd0b58dd58bc38b61d4d8e499f911f9830378eb14d430		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D00 5544 bytes
font_01_sfnt_off00011fc7.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FC7 2656 bytes
font_02_sfnt_off00012acc.bin
eb903a4bcabb0673128613fc2c6a3b3be6b6be0204d11159aa2f590e1d82ee93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12ACC 3740 bytes
font_04_sfnt_off0001655a.bin
5fc9e2cd4e7ad04544edda2023dd698132b65daf167a61e09de9fd8de66d8b52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1655A 2108 bytes
font_05_sfnt_off00016f28.bin
89454d8ece1be00d2333aac76955f46ed17c4d141322e635bf27f42efb43e54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F28 2116 bytes
font_06_sfnt_off000178f4.bin
6b63bc22ccfb865a6fa23f1d8ddc362848f04a972ef3d98c4705b4e30e014a10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178F4 13464 bytes
font_07_sfnt_off0001a345.bin
2ef45901ce6563cc0c6ae9119c6f5b2b3d364691def2f918ffd2bbb538a72ae7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A345 16544 bytes
font_08_sfnt_off0001ba18.bin
62cf5450a5e279ebc60ac08a9c478c874b914858deab57976101a28bece22918		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BA18 4984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.