Malicious PDF — malware analysis report

Static analysis result for SHA-256 45e002d475838a33…

MALICIOUS

PDF

82.8 KB Created: 2021-04-12 14:25:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 667a54bd6678d239b81c0927dc284e82 SHA-1: d155936007f65b1bb843cd1dc5203cc97219391b SHA-256: 45e002d475838a3330cb4074343a8e6c08c8b4b2b802364816634ad7cff0a845
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document exhibits characteristics of a link farm, embedding a large number of external URLs, with a critical heuristic flagging it as a PDF SEO link farm. The presence of an external URI pointing to 'mezovuduw.ru' suggests an attempt to redirect users to potentially malicious content. While no scripts were explicitly extracted, the PDF structure and numerous embedded links strongly indicate a malicious intent to drive traffic to external sites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=memory+rescue+bright+minds+pbs PDF link annotation
    • http://mebel-albero.ru/raxinakuwevanudoeozf9.pdfIn PDF document text
    • https://waxogisuges.weebly.com/uploads/1/3/0/7/130776632/d852f78.pdfIn PDF document text
    • http://alteramaks.world/76970283441cyxcm.pdfIn PDF document text
    • https://nanagupuwaxa.weebly.com/uploads/1/3/5/3/135322083/fatupata.pdfIn PDF document text
    • https://jeripakituwimug.weebly.com/uploads/1/3/2/6/132695489/e4a763.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://japamitafixe.myartsonline.com/jukofizizuxow.pdfIn PDF document text
    • http://pejemevogoge.myartsonline.com/67619669586.pdfIn PDF document text
    • https://s3.amazonaws.com/kubafezin/66532062682.pdfIn PDF document text
    • https://s3.amazonaws.com/fedufiporara/tropical_rainforest_leaves_template.pdfIn PDF document text
    • https://ec451167-49e0-489e-a150-d7dc0ecf9264.filesusr.com/ugd/fe0276_33b9d00cfb9949da8db73196f77aa1c3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jemisajoda/namorutajuvemojoviwofa.pdfIn PDF document text
    • https://3d5b2cfc-74f5-4c02-8466-0d369b02955c.filesusr.com/ugd/69b86f_dda5c5d04bb84e89a9fde4dba96fc344.pdf?index=trueIn PDF document text
    • https://aa4c2489-c93b-4667-afab-104bf5323bad.filesusr.com/ugd/8b49c6_f09a3a65627d40769deb15bbabf9e381.pdf?index=trueIn PDF document text
    • https://9fbaa0db-fe9e-443e-b503-3d02ea494c21.filesusr.com/ugd/d417e9_946e85f363c144bd87db891fbadac2b9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/davawina/my_talking_angela_games_apk_free.pdfIn PDF document text
    • https://s3.amazonaws.com/widofafane/ganopugofus.pdfIn PDF document text
    • https://s3.amazonaws.com/penale/tcp_ip_illustrated.pdfIn PDF document text
    • http://xuxalonitu.onlinewebshop.net/aviation_cyber_security_toolkit.pdfIn PDF document text
    • https://s3.amazonaws.com/mujesogi/google_local_guide_level_benefits.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8A5 5372 bytes
SHA-256: 4639cc1b8b2cd913a3ca423cc99955dafa2406a8d679baf05de93208403c9888
font_01_sfnt_off00010ad1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AD1 10956 bytes
SHA-256: 8c2c9ba030102e91549c1260905ac61892c60f62428b6f18396c3f6928ce2749
font_02_sfnt_off00013018.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13018 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3