Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ce67751875478f5…

MALICIOUS

PDF

81.3 KB Created: 2021-03-17 00:52:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c96e1602fc8d6714aa0c9d94d056e0f4 SHA-1: 7d4411f974f7bdc6856c79d1d8b374eabb9c3f09 SHA-256: 4ce67751875478f50045241b9c2779494c8772198c36c62ae12cf6a6a0767e01
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm, with one prominent URL pointing to a site that appears to be a lure for 'cookie clicker github code'. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external links suggests an attempt to redirect the user to potentially harmful content. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=cookie+clicker+github+code
    • https://cdn.sqhk.co/xubipoxeguza/heKdcsz/fuputenaba.pdf
    • https://cdn.sqhk.co/burexewejam/dMigifa/mameborifonadonasuj.pdf
    • https://cdn.sqhk.co/loxexafetivu/ijffhaO/40772251125.pdf
    • http://xarubuxa.iblogger.org/57546515959.pdf
    • http://pemufosapakem.mypressonline.com/how_do_i_reset_my_kwikset_smartcode_909.pdf
    • http://miraluvofizobe.medianewsonline.com/25529181185.pdf
    • https://cdn.sqhk.co/ferudati/fhbihXz/docs_online_report_nsw.pdf
    • https://cdn.sqhk.co/gerezowuves/b0UjhKg/62692282768.pdf
    • https://cdn.sqhk.co/wupefukawis/djjijnz/angular_formcontrolname_nested_property.pdf
    • http://tuworiki.22web.org/bbc_food_guide_bubble_and_squeak.pdf
    • http://orteil.das
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gipetiwivi.atwebpages.com/58293967868.pdf
    • https://s3.amazonaws.com/gedesisumi/19582862930.pdf
    • https://s3.amazonaws.com/pugomonapoxuxe/tuvemekomom.pdf
    • https://0e67983c-e844-40c9-b604-97311ec94efe.filesusr.com/ugd/6e13d9_1b7ebd29232a4ae9b2cfd2d93bb23f38.pdf?index=true
    • http://zenadeguposu.rf.gd/abnormal_psychology_test_bank.pdf
    • http://rijemow.onlinewebshop.net/ansys_classic_commands.pdf
    • https://19a4122d-28db-4ec2-a9e3-8c1e87f24dd5.filesusr.com/ugd/70d0b7_0550a55d33a44327a420f946961d865a.pdf?index=true
    • https://s3.amazonaws.com/muvojugejoxip/94646139562.pdf
    • http://muwalolerede.epizy.com/felesazig.pdf
    • http://bimogudi.rf.gd/st_andrews_university_logo.pdf
    • https://s3.amazonaws.com/feliso/89907829894.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e941.bin
494345e5d5c4522fa32c9c3757a8b8c0128746f35e1a58edbd5d07ddc66d5ba8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE941 4920 bytes
font_01_sfnt_off0000f9ef.bin
8701f38eada7a0e7a0e7ee3393265c0e64527c30e03538a4b1cf96112e26923f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9EF 11812 bytes
font_02_sfnt_off00012227.bin
d5c1d73facc1ee30369663d5bc9e1d56b1b6bad2d1eb0652642bc5daa7bdf87b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12227 16352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.