Malicious PDF — malware analysis report

Static analysis result for SHA-256 48855d55975ed673…

MALICIOUS

PDF

77.2 KB Created: 2021-03-24 23:37:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 533039853e622a07f3ad6cfff5e6c327 SHA-1: 2c6f2369ff9021184150413c22d17d8b2af08a76 SHA-256: 48855d55975ed6736354852d6ab2aabcfc2b9c5c6a70f4eb0043a498e0426b35
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The file contains a large number of external links, suggesting it is part of a link farm designed to direct users to potentially harmful websites, as indicated by the PDF_SEO_LINK_FARM heuristic. The primary malicious URL identified is https://xezojetit.ru/strik, which is likely used to host or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=nordictrack+c910i+treadmill+review
    • https://cdn.sqhk.co/xakalodesi/fjiijzn/zabalelajopolosepefizu.pdf
    • https://cdn.sqhk.co/lunabati/bfjd7if/66327964260.pdf
    • http://workshop-fb.ru/first_alert_carbon_monoxide_detector_test03c78.pdf
    • https://cdn.sqhk.co/sututidogo/DMLhfHi/football_play_designer_and_coach_tactic_boards.pdf
    • http://kdghy.online/toca_builders_1._0._8_apk4rekg.pdf
    • https://cdn.sqhk.co/dexasubu/mohdoie/monitoring_children_s_internet_usage.pdf
    • http://alania365.ru/jexobododoxadekizetitipet9hqfh.pdf
    • http://demask.fun/knex_easy_instructions71uaz.pdf
    • https://cdn.sqhk.co/xujanezujol/cVjegdy/35871323054.pdf
    • https://cdn.sqhk.co/mamabukalom/hcgjCgd/zufugamilinom.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6b340b3c-afc2-4ad9-8478-b88f6ede4c74/64714355042.pdf
    • https://uploads.strikinglycdn.com/files/fd8c4576-b42b-4563-8ba8-6e33a97ccaa2/cisco_wireless_access_point_air-lap1142n-a-k9_configuration.pdf
    • https://uploads.strikinglycdn.com/files/2c089ae8-64f4-4990-a866-177f4ac5d977/17310248310.pdf
    • https://uploads.strikinglycdn.com/files/fdc87370-7712-4d69-a24c-c181f488e1e8/64863289975.pdf
    • https://uploads.strikinglycdn.com/files/7614a58e-33d8-42a4-9df9-395647b53382/58065501679.pdf
    • https://uploads.strikinglycdn.com/files/ed315c9c-7247-4071-bdd1-d3c1571de23e/wofapozemites.pdf
    • https://uploads.strikinglycdn.com/files/a674e6cd-3460-4dde-9742-b0008d6d43c3/dunatuzisutodibisona.pdf
    • https://uploads.strikinglycdn.com/files/8472d0ec-6d38-4a36-8bae-55397e652663/90473898643.pdf
    • https://6c403777-3bdb-430d-a4ca-23d5788374d5.filesusr.com/ugd/e0034b_e4c1e030db9f4e8b882480fc9a586c3a.pdf?index=true
    • https://1ec9b6e7-17eb-4e1e-a994-ba5ce4cbdb7c.filesusr.com/ugd/d4a9d6_bb75946a74fb4f19b0592cd153b632df.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ee8042f0-fe35-45ae-bae9-303a9e8a1c25/what_is_the_value_of_r_in_ideal_gas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eece.bin
f3b8ce1cda669ab8873b91da12416f092b38834e7a06263f208667891d62d12d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEECE 5444 bytes
font_01_sfnt_off00010157.bin
95b9c17f01b42f78618f85ad61a9ca9a572464dd7f2cf45480ec1965daf14576		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10157 11160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.