Malicious PDF — malware analysis report

Static analysis result for SHA-256 4217eae6507979cb…

MALICIOUS

PDF

91.7 KB Created: 2021-04-14 23:52:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e39dbc36036a80d877f27b669786972d SHA-1: b9ba2399f4d6fa8d5cd568f7a74be31ec64e1830 SHA-256: 4217eae6507979cb3b884fdbee93d362f53ea322b36a4c2b0da8a9d654691119
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of external links, many of which point to disposable hosting, suggesting a link farm or phishing attempt. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=linksys+ea6500+v2+default+password
    • http://texoraw.sportsontheweb.net/fexiwozazadeparageba.pdf
    • http://fibipowokogo.sportsontheweb.net/59586202590.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://c2245d91-bd3f-4016-bed3-1da34bcfd793.filesusr.com/ugd/9a652e_1400311af56b4ea8a27294204e97c31d.pdf?index=true
    • https://13cfbe10-32e4-4d7a-9072-8dbd3280e6b8.filesusr.com/ugd/994e9e_ad1a9a6fde1543279424a119ead9efd0.pdf?index=true
    • https://s3.amazonaws.com/genijusemu/zuxogaliv.pdf
    • https://3e1ae61b-6b68-46dc-8a90-d1c7a5b9f91c.filesusr.com/ugd/b8bbd7_fe5026239318498496536dddea8f6bc7.pdf?index=true
    • https://00eaa6b3-f026-4720-b00f-fafb40066352.filesusr.com/ugd/d498be_b4c400eaf36f4f309c60662972161d9a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/21d86b47-11dc-41ba-9b38-b1771fd659eb/81207149463.pdf
    • https://91c7bc9f-df77-4dbd-ae51-8bcf521f3e61.filesusr.com/ugd/1df9ea_aff2521701c04f819abc6ce3c82c38fc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/50ffbf4c-3c37-4e70-bb17-dc672116ddce/falumilenijabajubapi.pdf
    • https://uploads.strikinglycdn.com/files/25552970-4f4c-4885-a141-e9149def3d96/were_going_on_a_bear_hunt_book_review.pdf
    • https://s3.amazonaws.com/xapidajovaji/when_to_enter_a_trade_in_binary_options.pdf
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_d41c85f726824d56a4dcbf23bdaf7700.pdf?index=true
    • https://4465b75e-e642-4f53-8c89-e22f0b9d4994.filesusr.com/ugd/ecd213_18977c9ee9d441ef97b7e730f2c97935.pdf?index=true
    • https://uploads.strikinglycdn.com/files/153935de-cb97-4756-b5ee-fd56cf445c7a/77452543834.pdf
    • https://c07b3cb0-7d4a-4e65-9c62-eb3bd0ce3b6b.filesusr.com/ugd/7560d5_55b397fc98f24e6a95b4141a17ee9af3.pdf?index=true
    • https://8ed7b8cb-9bae-4def-ad9b-66b28cd11f91.filesusr.com/ugd/740d8c_6070507a1a514047991c1d587007a337.pdf?index=true
    • https://9df6e0af-a028-4e88-91ba-61a1b37318d5.filesusr.com/ugd/7c1f05_334a633ae12b4dff85ff64cbf110d138.pdf?index=true
    • https://8a5a474a-a671-4857-921d-d1df0ee72544.filesusr.com/ugd/523716_5a5f9b8189cc4027848a557ad031c14d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a018f82-fa7c-4e39-8b12-10bb95fe1d91/49010764902.pdf
    • http://nedizilunok.myartsonline.com/zomidijatip.pdf
    • https://a7563df4-ba19-4d82-a8a0-b2470d957038.filesusr.com/ugd/61f964_988c403809574bec8c2377cb541d654c.pdf?index=true
    • https://170a7d3c-74f0-42f5-9ead-98ae292a4922.filesusr.com/ugd/a18aa6_d5b855a61f924e21bb6c4ddaafdf7cad.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001006c.bin
b398c1cd674a734cce5404f1bf7f6067125277428970c5e078e05abced2c3070		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1006C 5728 bytes
font_01_sfnt_off00011418.bin
77e4f8b911fb0797d56f9bb83c8fb4941832415096be4bbbecb5efa3342c5141		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11418 11756 bytes
font_02_sfnt_off00013c85.bin
de4d8b2f57bd79f1a868fabda613d9936b110e31710edd4728466090b424b6ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C85 16340 bytes
font_03_sfnt_off000151fd.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x151FD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.