Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e03eafd8b0af3a4…

MALICIOUS

PDF

78.9 KB Created: 2021-03-13 20:27:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6da9c25190950c3c23ee06e44113641 SHA-1: d10064d32da083aaad621678277ff0f684a946ca SHA-256: 3e03eafd8b0af3a483433f8ee280db26105564bd094af54301cb3c1ad859a111
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as part of a PDF link farm. One prominent URL, 'https://seumenha.ru/award?keyword=digital+electronics+basics+interview+questions+pdf', is presented as a lure for interview questions. While no scripts were directly extracted, the presence of external links and the nature of the heuristics suggest a malicious intent to redirect users to potentially harmful sites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=digital+electronics+basics+interview+questions+pdf
    • https://cdn-cms.f-static.net/uploads/4393019/normal_6024b5dbb4eb1.pdf
    • https://cdn-cms.f-static.net/uploads/4443799/normal_602c5edc55d46.pdf
    • https://static.s123-cdn-static.com/uploads/4475204/normal_5fffbef6c5b2a.pdf
    • https://cdn-cms.f-static.net/uploads/4448992/normal_6046d6f78686b.pdf
    • https://cdn-cms.f-static.net/uploads/4374181/normal_602793439628e.pdf
    • https://cdn-cms.f-static.net/uploads/4452395/normal_6049f11731311.pdf
    • https://cdn-cms.f-static.net/uploads/4388842/normal_5fe9602f189ea.pdf
    • https://static.s123-cdn-static.com/uploads/4499282/normal_5fc81441c4b4f.pdf
    • https://cdn-cms.f-static.net/uploads/4421472/normal_604cf3464d06c.pdf
    • https://static.s123-cdn-static.com/uploads/4492897/normal_5fdee89049d63.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kavalukato/wallpaper_love_status.pdf
    • https://cd70d4e5-4a1a-4071-96d1-f2415ea5ece1.filesusr.com/ugd/7f46b5_9e3eff77503a4e14ba9cc0993a3be247.pdf?index=true
    • https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_2aea451e0a884c928ba887821edbc94d.pdf?index=true
    • https://s3.amazonaws.com/rovuweraja/61496908311.pdf
    • https://s3.amazonaws.com/nezanurugega/c_c_f_ka_full_form.pdf
    • https://uploads.strikinglycdn.com/files/de39bf6f-040d-4f3f-bd4e-9745cc64e30f/ashton_drake_reviews_2019.pdf
    • https://s3.amazonaws.com/jiguwuzobozobaz/51851926635.pdf
    • https://60659a61-a27b-47ea-8eac-a81775c62269.filesusr.com/ugd/7a7fb1_eb5aa13831e14b50b5920ab5f034b288.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0f720557-964c-435e-83e6-511ae90f1b7c/vampire_5e_dndbeyond.pdf
    • https://s3.amazonaws.com/zumomasugipeno/21283496643.pdf
    • https://uploads.strikinglycdn.com/files/e45ef609-4edf-4742-ab35-ef011f322618/53318162414.pdf
    • https://6cbe2f5c-748b-4bc6-b691-25a968a47885.filesusr.com/ugd/d6b5da_fb0ab045094f4149b24849b62b683555.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f724.bin
c4df13bf7d37be39ba114fd53ebe1d9bab760e5864554fee472458f3e52ca57a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF724 5740 bytes
font_01_sfnt_off00010ad1.bin
19c7006adcdce95c4dc3e645dfa2770b64ccce5e028ad2d0cdca2b4639c9b11d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AD1 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.