Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bef68a10bf7ae73…

MALICIOUS

PDF

81.7 KB Created: 2021-04-24 05:05:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a78de9e2c160c379bf5521f8629e4b1 SHA-1: 51a38a19c2c15331fa2ed26a4a6f77b5e5c4fd2a SHA-256: 4bef68a10bf7ae73ee4dc6fcb49e41ca6338709efe12303252ad55404734d1d4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM'. The primary external URL points to a domain that appears to be involved in malicious activity. While no scripts were explicitly extracted, the presence of numerous links and the ML classification suggest a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=why+is+yamaha+r6+illegal+in+india
    • http://xunopapazugatar.medianewsonline.com/pasufawanapolunopubaduju.pdf
    • http://pajuwepubawip.sportsontheweb.net/19079089126.pdf
    • http://fekevopimibun.sportsontheweb.net/algorithms_for_interviews_free_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xozeb/mariah_carey_always_be_my_baby.pdf
    • https://s3.amazonaws.com/xoguwavosuje/nascla_contractors_guide_to_business_law_and_project_management_virginia_8th_edition.pdf
    • https://uploads.strikinglycdn.com/files/89ba78de-8ced-4d49-ad6e-b38f0aad7901/hp_laserjet_1100_toner_refill.pdf
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_c78fae355b9b474d853bde793f693808.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ce63da1d-3cb6-4acf-83ec-a253cee212b0/relion_ultima_test_strips_walmart.pdf
    • https://uploads.strikinglycdn.com/files/15b5fbbf-fffc-4a29-93cf-150719063b2c/stanley_shop_vac_filter_bags.pdf
    • https://uploads.strikinglycdn.com/files/187df605-ab5a-4e32-a9f9-e8e18339e19c/can_you_make_a_smoothie_with_frozen_fruit_and_ice.pdf
    • https://s3.amazonaws.com/wanalovum/ardhanari_telugu_movie.pdf
    • https://uploads.strikinglycdn.com/files/e695b348-2c51-4902-99c9-8de818466eac/warrior_cats_full_movie_into_the_wild.pdf
    • https://uploads.strikinglycdn.com/files/4337d87b-4447-4507-a922-d0b12dcb6361/gordon_ramsay_cookbook_100_recipes_to_stake_your_life_on.pdf
    • https://24a70dd4-b549-4b9e-9c0a-6eea45ab85ad.filesusr.com/ugd/ab0c63_4f364b060c2c454385b5e39b5e629946.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0019fb5c-e10e-4024-9c5e-adf262c173f8/how_do_i_apply_for_a_job_at_walgreens.pdf
    • https://14da0a27-f261-4d4b-8668-3a369f5c966d.filesusr.com/ugd/46429b_cb1ef0e4b4074a63baf54272fbd37fcf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/401e91e9-282c-4e85-b6ef-a8fc4fd84aee/is_ap_physics_1_exam_hard.pdf
    • https://uploads.strikinglycdn.com/files/d2281007-eb18-488d-bef5-1b861ae73eb8/diablosport_intune_i3_tuner_14-16_5.3l_silverado_1500.pdf
    • https://s3.amazonaws.com/zuvovoxigumuz/zigotarotowibawabobeju.pdf
    • https://uploads.strikinglycdn.com/files/d4a3356a-26c2-4eed-a9d0-36906b89d8c1/lidomivemarikef.pdf
    • https://s3.amazonaws.com/tiduro/emergency_room_doctor_definition.pdf
    • https://uploads.strikinglycdn.com/files/e9ef34ff-db65-4e4e-a3c0-395cf55dce3e/38787925858.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010150.bin
cedccef42d15c09b7a084c7d734fdea33df5c2b6a9bb4bef190f44c724e1222b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10150 5508 bytes
font_01_sfnt_off000113ec.bin
8f8d2313487edee0912199a0a908c5e2778babc9924d72f7d181860dcff3dc5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113EC 11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.