Malicious PDF — malware analysis report

Static analysis result for SHA-256 426efe2c86673b0c…

MALICIOUS

PDF

76.8 KB Created: 2021-05-21 21:37:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f543a7ae343e9194f59b8cd8d76bd93 SHA-1: 2569e374bb88693f4506cb9b3e593dbf19131388 SHA-256: 426efe2c86673b0c111bcd0dacc81654ac6420e55c6d62aa1862714695673488
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, including one pointing to 'seumenha.ru', suggesting a phishing or malware distribution attempt. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=steven+universe+unleash+the+light+apk+free+download
    • https://cdn-cms.f-static.net/uploads/4498645/normal_602653759eed0.pdf
    • https://cdn-cms.f-static.net/uploads/4495055/normal_603123c65779b.pdf
    • https://zerivomixiloz.weebly.com/uploads/1/3/4/6/134664353/487915.pdf
    • https://segawalapuk.weebly.com/uploads/1/3/4/9/134902876/1053689.pdf
    • https://rotutipugav.weebly.com/uploads/1/3/4/7/134750083/bekubopikapas.pdf
    • https://xitipirobopu.weebly.com/uploads/1/3/0/8/130813988/feguzukedune.pdf
    • https://papunagaku.weebly.com/uploads/1/3/1/3/131384156/513ad.pdf
    • https://cdn-cms.f-static.net/uploads/4387577/normal_604918328460f.pdf
    • https://xafukulirodut.weebly.com/uploads/1/3/1/3/131379356/jipamo-tikafelarufuje-tobugurubuso-winip.pdf
    • https://jogemubo.weebly.com/uploads/1/3/4/3/134321321/verofut_zaleve.pdf
    • https://cdn-cms.f-static.net/uploads/4401982/normal_604204a1209bb.pdf
    • https://static.s123-cdn-static.com/uploads/4387715/normal_5ff06ca4aace7.pdf
    • https://goxepafanaba.weebly.com/uploads/1/3/0/7/130739763/lubevemukokuxu-raxujep-fimoxejim-jilepoz.pdf
    • https://cdn-cms.f-static.net/uploads/4372073/normal_603c6b180ef5e.pdf
    • https://rogejizerabori.weebly.com/uploads/1/3/4/7/134763318/rafigexuzapise_takam.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/winumigutam/use_my_phone_as_a_roku_remote.pdf
    • https://uploads.strikinglycdn.com/files/4001f1c9-8c4c-4da1-9121-1c0654ec047f/duzutabitekekapo.pdf
    • https://s3.amazonaws.com/benuka/26736020477.pdf
    • https://uploads.strikinglycdn.com/files/b8847e1b-5996-4f16-ba99-5c9ba4c5435c/android_development_course_in_hindi_-_tutorial_2.pdf
    • https://uploads.strikinglycdn.com/files/6d58d254-9e81-463d-8d23-bbcfad0a298d/difference_between_peo_and_peop_model.pdf
    • https://uploads.strikinglycdn.com/files/35b67113-8be2-47ff-885c-a14016addd4b/dibujedeto.pdf
    • https://s3.amazonaws.com/lokijuronig/argentina_official_visa_application_form.pdf
    • https://uploads.strikinglycdn.com/files/96483554-dcc4-4a9f-825d-eff9dfca4eba/zugav.pdf
    • https://s3.amazonaws.com/vudivuzakal/race_ethnicity_and_national_identity.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebf9.bin
48becfd3fbad3684d510702404c8b22b70c5df3668904401120ba27b05c34f30		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF9 5624 bytes
font_01_sfnt_off0000ff25.bin
40514287f1090506fdf026efb8e7212c137aa561950dbf50d46ad44450500b9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF25 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.