Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ae157946e3d9ea7…

MALICIOUS

PDF

84.9 KB Created: 2021-04-16 01:01:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 9e379fdda598d0d6261b014bce9c2a7f SHA-1: b83e3a532024713dc3a150c7980c9d891c41004d SHA-256: 4ae157946e3d9ea75010c937b73a674d99b769cae5376916b7fe0ac8f1fac4a0
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file identified as malicious by multiple heuristics and an ML classifier. It contains a significant number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. One of the primary URLs identified is https://mezovuduw.ru/strik, which is likely a redirector to a malicious payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=what+is+a+california+roll+stop PDF link annotation
    • http://sale50.pro/471436825959rbj4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4471686/normal_6040bcf15c5d7.pdfIn PDF document text
    • http://dsv-trening.ru/code_metal_30w64q.pdfIn PDF document text
    • http://chunyoo.com/rolazzc8vf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408176/normal_600c123049352.pdfIn PDF document text
    • http://akvatehnika74.ru/zivojepojakem0ct.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486363/normal_60414103c1c9e.pdfIn PDF document text
    • http://cuzinfo.ru/85610831118n437o.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/21d0c278-304a-4b81-8efc-7231776e1f97/how_much_water_to_add_to_orange_juice_concentrate.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6253fb2f-089f-4ea5-b1e6-9485a9c6f8e9/17451008479.pdfIn PDF document text
    • https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_87cf261c4b33463eaf201f2fb4975d96.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d976700-d32e-424c-b21a-0ffd1ccf87d6/the_kargil_girl_full_movie_watch_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e08aadd-860a-439e-ac2d-745bccfa5bf0/73095138753.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9df1d90d-7cc1-4868-852b-53088f8d2598/96070042042.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d7e25cf-5677-4068-9f8f-101176e1cec6/2013_bmw_328i_maintenance_cost.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2acbb54-2b9f-4e90-89c3-c22009170185/what_exercise_with_dumbbells.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2efdd51d-8fbd-419b-863f-0574002c210a/87682352938.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/770af4d0-99d3-489f-8bd5-757a651ec887/weninozopokonasubuku.pdfIn PDF document text
    • https://c4bedd8b-a3e9-4aa8-9751-a6fde4035b7e.filesusr.com/ugd/037f08_e3fc806bab144208ba3585d2aef9ae71.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010db2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB2 5116 bytes
SHA-256: 13a1435a1a7f420b8d514c7fea7aabefcc913d5a68fd56fbbd9fe72cab3dbeca
font_01_sfnt_off00011f24.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F24 11480 bytes
SHA-256: c0ad100b6076c7e8df3aa21967a4ced63e07355aa5190cc88e576b7283b2c236

Open this report in the interactive analyzer, or submit your own file for analysis.