Malicious PDF — malware analysis report

Static analysis result for SHA-256 4897742e43e65e1f…

MALICIOUS

PDF

100.7 KB Created: 2021-03-29 07:43:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6cde28ea1f00351b508ee9a00a20c9db SHA-1: 4cd320145b04d81381297118b5682795dc0e004c SHA-256: 4897742e43e65e1f791420c42d1f8605d84b9a13bcfa790617fc2a99f0c08965
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a phishing lure. It contains multiple external URIs, including one pointing to 'xezojetit.ru', suggesting an attempt to redirect the user to a malicious site. The heuristic 'SE_INVOICE_LURE' further supports the phishing pretext. No scripts were extracted, but the presence of external links and the invoice lure indicate a likely attempt to trick the user into visiting a compromised site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=what+is+the+use+of+domain+model+explain+with+suitable+example
    • https://cdn.sqhk.co/widafopaj/eZihjiT/are_green_potatoes_ok_to_eat_uk.pdf
    • http://jorowijedo.mywebcommunity.org/wuxidaki.pdf
    • http://sufofure.mywebcommunity.org/self_attention_generative_adversarial_networks.pdf
    • https://cdn.sqhk.co/noloxunipe/SLqjhAP/1640130544.pdf
    • http://jakusavu.sportsontheweb.net/best_video_games_to_play_with_significant_other.pdf
    • https://static.s123-cdn-static.com/uploads/4376619/normal_5fce338082dcf.pdf
    • https://cdn-cms.f-static.net/uploads/4458421/normal_6035d87e4019c.pdf
    • http://kudikadip.getenjoyment.net/21310588716.pdf
    • https://cdn.sqhk.co/joduragenep/GgdtGjd/boginutiwirorajipil.pdf
    • https://cdn-cms.f-static.net/uploads/4407989/normal_6017614b0221a.pdf
    • https://cdn.sqhk.co/jivapereb/gRhfLof/fun2_2_player_games_unblocked.pdf
    • http://zenododuro.iblogger.org/temple_of_seti_i_in_abydos.pdf
    • http://porerapeboligos.iblogger.org/33654780223.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f84ffea9-2755-49c2-9cb5-47ca8b55fe65.filesusr.com/ugd/0adedf_08163ae36caf4b1ba37d84cea5ac7720.pdf?index=true
    • https://s3.amazonaws.com/galinikagopit/sylvania_10.1_quad_core_tablet_portable_dvd_player_combo_case.pdf
    • http://ropasibemufi.epizy.com/duxusunut.pdf
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_7022e88288e74cca80909bab55bd7386.pdf?index=true
    • https://s3.amazonaws.com/degagaziv/86121294068.pdf
    • https://s3.amazonaws.com/gidibesuxi/xepugugugexaped.pdf
    • https://s3.amazonaws.com/zubuwujoxom/asrlm_admit_card.pdf
    • http://wapugabidojako.rf.gd/48273187518.pdf
    • https://7e8267f5-6380-480e-ad72-df526eaefc07.filesusr.com/ugd/cbe325_967213c6334446099d6e6c52bb10781a.pdf?index=true
    • https://76ed6b59-b034-43ac-b949-e1c08f76e3cb.filesusr.com/ugd/ee6100_7c0fec11850f40fea6892c78b29b33e8.pdf?index=true
    • http://jawuguv.epizy.com/zazivivi.pdf
    • https://s3.amazonaws.com/gomakobez/lozumapej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014a71.bin
81c30aed52af98f4a896e1ec8573a92b78d74c9f8fbfe31a707027d6bf8125b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A71 5496 bytes
font_01_sfnt_off00015d19.bin
505ee6e3f719d2caab78a5370fc12107a89b2d328f74eeaabb2d00a34a94f9c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D19 11048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.