Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c0ad8a8a64dfe48…

MALICIOUS

PDF

76.1 KB Created: 2021-03-16 15:19:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 975f1fdd8bba8235961a540953a245b1 SHA-1: 98fc4712995ebdad98c1eadd5d17240f10645bb5 SHA-256: 3c0ad8a8a64dfe482ccefc379dfce4223f9d3c0adf934effacdead569bc08607
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating it is likely a phishing or trojan delivery mechanism. The document contains a large number of external links, many of which are SEO-optimized PDF links, suggesting a link farm designed to direct users to malicious content. The primary IOC is the URL 'https://xezojetit.ru/wix?keyword=compton+a+soundtrack+full+album+download', which is presented in a way that mimics search results to entice downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=compton+a+soundtrack+full+album+download
    • http://guzoseta.getenjoyment.net/83325963597.pdf
    • http://bomaduworofa.medianewsonline.com/how_to_use_scarce_resources.pdf
    • http://fanutoragozogow.sportsontheweb.net/neburareruw.pdf
    • http://wujasonuvilo.mywebcommunity.org/bhagavad_gita_chapter_15_in_tamil.pdf
    • http://xelasurugopu.mywebcommunity.org/thule_roof_rack_for_jeep_wrangler_hard_top.pdf
    • http://nosilekexiwot.mywebcommunity.org/machine_learning_algorithms_and_applications.pdf
    • http://tizakeguwowil.22web.org/civ_5_strategy_guide.pdf
    • http://faponabon.mygamesonline.org/artificial_neural_networks_in_real_life_applications.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fidefofudi/badger_insinkerator_444_manual.pdf
    • http://lusunumef.rf.gd/motor_hp_to_amps_chart.pdf
    • http://xafepabofi.epizy.com/rx-v377_service_manual.pdf
    • https://a208a2de-cee2-48c2-86e3-c620a022946d.filesusr.com/ugd/dda32d_22cc82f242544696be196dafcd465462.pdf?index=true
    • https://s3.amazonaws.com/sazomo/jurivowexagagekexobikafos.pdf
    • https://3857ddc0-2b33-46ba-b4a8-ebef9b167687.filesusr.com/ugd/5cc0d5_ec21bc62ee2b4852bd6e107a0d57cef6.pdf?index=true
    • https://a519209a-2b0a-481f-9fe9-460c873bdc80.filesusr.com/ugd/270e53_008c9417a97444d5a938e8771e39e3f7.pdf?index=true
    • https://46b09160-81f9-4cb3-9cca-f7b5b0c0229e.filesusr.com/ugd/179cc6_ade0e19c1376462aaaca9ebf466562b4.pdf?index=true
    • https://de315c38-daa2-4293-b666-e554ba9b7d65.filesusr.com/ugd/564d2e_1530ccb84b7d4d2f88fe7ac0cce9af5c.pdf?index=true
    • https://s3.amazonaws.com/wavunot/crazy_car_racing_game_apkpure.pdf
    • https://bd04a250-715b-4db0-8087-55ec2f714cf5.filesusr.com/ugd/0c2191_ec64b7ee7ee8437db69216ac2aa20ea0.pdf?index=true
    • https://5c839259-519f-4cee-a1a2-6639d654070b.filesusr.com/ugd/140efa_74016cfcbadc42739c69c6da5ea7d765.pdf?index=true
    • https://s3.amazonaws.com/sedowedi/jijokunomujuresigupozibe.pdf
    • https://b64dd490-e5b9-492f-89ff-e398ecee904c.filesusr.com/ugd/5926b4_44185cd207a44cc3b883da1dec6877bf.pdf?index=true
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_5dd4e2d06f09469ea4621fabe3812205.pdf?index=true
    • http://lunufisisosixi.rf.gd/student_ka_full_form_kya_hota_hai.pdf
    • http://baruluzibovog.epizy.com/40904772507.pdf
    • https://s3.amazonaws.com/tezofuretejom/logitech_z623_settings.pdf
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_c9758004a779441fb81d6c098cb542ff.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8d6.bin
b38415b689a86f10804a044e416ccc230608dfb1136482b78acb4a603eca10ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8D6 5500 bytes
font_01_sfnt_off0000fb83.bin
1a9a5a4a9c0476ae17fad19ff91a4e874395aa9438c567e57bf8a18e25454808		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB83 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.