Malicious PDF — malware analysis report

Static analysis result for SHA-256 40c5e7879ae92ade…

MALICIOUS

PDF

74.9 KB Created: 2021-03-22 13:12:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6c0c7385608da934adfd165fc0285e9 SHA-1: d613b0a81982368179b69b4a81b903ad746972a1 SHA-256: 40c5e7879ae92adea5a34c9f1815644d7e49bc2afc8ded436824aff31c2f7190
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which are part of a link farm designed to manipulate search engine results. One prominent URL, 'https://soxebez.ru/wix?keyword=feel+it+still+roblox+id+code', appears to be a lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=feel+it+still+roblox+id+code
    • https://cdn-cms.f-static.net/uploads/4387924/normal_602eb8ad90ba7.pdf
    • https://murenelu.weebly.com/uploads/1/3/1/8/131856612/7160917.pdf
    • https://cdn.sqhk.co/devisofage/BhjaXji/rezolimidaditedeburofimu.pdf
    • https://rifodajawu.weebly.com/uploads/1/3/0/7/130739776/fuduziguxa.pdf
    • https://cdn-cms.f-static.net/uploads/4378830/normal_603ee68e3de94.pdf
    • https://lidutefavova.weebly.com/uploads/1/3/4/0/134012516/vunetotaferaf-vosub-ladoxi-sudora.pdf
    • https://nojefawagalubab.weebly.com/uploads/1/3/4/2/134266261/wejuza.pdf
    • https://cdn-cms.f-static.net/uploads/4444655/normal_60514ea8e2f5f.pdf
    • https://cdn-cms.f-static.net/uploads/4463809/normal_604329044649c.pdf
    • https://cdn.sqhk.co/ketalidukepi/8gfif5L/chargepoint_merger_presentation.pdf
    • https://wujawosekeg.weebly.com/uploads/1/3/4/7/134712458/46770b69c3.pdf
    • https://cdn.sqhk.co/rufosopufu/hcjfcX7/76175568061.pdf
    • http://xajaweronasuxo.22web.org/12589517633.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://451b78f8-089e-4d4d-bc4b-60abb621f7e6.filesusr.com/ugd/7ef0dc_2cb19b91f0a543c384cd8699263e83dd.pdf?index=true
    • https://3f740848-0e57-4b51-8596-564812021bec.filesusr.com/ugd/cbe17c_c87db151342b4369b2f4e679d9b1b6cf.pdf?index=true
    • https://05282879-aed3-4f16-ac14-d534add4d4bd.filesusr.com/ugd/0f8b7c_ddebeda05c5d4963a57594759a8de9c0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/23e93d0b-a63c-455e-bbaf-4131bd1914d3/dazevafejezodaz.pdf
    • https://uploads.strikinglycdn.com/files/e70fd3ee-af47-4f84-88e7-8c24ba4f8bd7/king_serial_numbers_saxophone.pdf
    • https://a95edb9d-21e5-46e4-bb1b-b1fdf66a5dae.filesusr.com/ugd/09e34a_ade5b7f4aa0e454fab107c61be51870b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e636ec75-846d-464f-9480-629d8ef1c4c9/what_is_a_peer_reviewed_scientific_study.pdf
    • https://uploads.strikinglycdn.com/files/10661a1c-50e4-4efd-930a-4210c37d5d10/90548685726.pdf
    • http://lagixilutami.rf.gd/mexelarajazitufolaxiwetu.pdf
    • http://taribizuka.epizy.com/boropidopofototajufopek.pdf
    • https://0cfe495c-9a5f-46a1-a5f3-fb21b6211bac.filesusr.com/ugd/7aabb2_1509cb5743c648879501c5710b415ba9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1aaf3f34-fa59-489e-b064-b7c687f8f8f1/essay_my_favourite_book_holy_quran_in_english.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deac.bin
75fcc7e467f3ee281b70e5f47d8b5f40fab8a54c5f5ac55bd8dbcaea7adc541b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEAC 4884 bytes
font_01_sfnt_off0000ef51.bin
3db0edf0d6764ac3b5c075e51844234502b2ca99c825d09852fc8733abb3e66f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF51 1888 bytes
font_02_sfnt_off0000f864.bin
3e0990f849343b3cc2d538306b8e72b5bb856563355fb5e3df8313069fade06c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF864 11260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.