Malicious PDF — malware analysis report

Static analysis result for SHA-256 4eb10c7d126b7b2c…

MALICIOUS

PDF

78.9 KB Created: 2021-03-18 14:11:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b7d5355dcf8ea85b53257998593d688 SHA-1: 8265296ef19b2e7f700927338e568fc8536aa8d4 SHA-256: 4eb10c7d126b7b2c6d6969a78d479d79d30bc5e2a1c663415a53901b6012a482
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external links, with a primary link to 'soxebez.ru' disguised as a search result for a reloading manual. The PDF's structure suggests it's part of a link farm or SEO manipulation scheme to drive traffic to potentially malicious sites. No scripts were extracted, but the presence of many external links points to a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=hornady+reloading+manual+pdf+free+download
    • http://nutristrike-shop.ru/introduction_to_psychology_textbook_4th_editiontynbw.pdf
    • http://ersoil.fun/introduction_to_elementary_particles_david_griffiths_solutionsh07q3.pdf
    • http://copyright-central-media.com/somewhere_west_side_story_piano_sheet_music85hda.pdf
    • http://mitutepoka.medianewsonline.com/maroxanebezowedig.pdf
    • http://ig-mediateam.net/hip_hop_hits_2010mxf5h.pdf
    • http://lilubaxubaxulu.sportsontheweb.net/singer_simple_sewing_machine_issues.pdf
    • http://magnitoli-2ekran.site/86026487613xi6jd.pdf
    • http://jufanurozud.getenjoyment.net/piano_sheet_music_easy_free.pdf
    • http://stavki.link/237770486467hjty.pdf
    • http://istlan.space/android_rpg_games_modded_offline_apkrxopz.pdf
    • http://sweetmeet.online/tobobakadabuduti36qj.pdf
    • http://tb-films.ru/catch_me_if_you_can_musicalrrt6j.pdf
    • http://tamakedesununod.mywebcommunity.org/samsung_model_un32n5300afxza_remote_control.pdf
    • http://womenit.space/fuerzas_intermoleculares_puente_de_hidrgenobtbco.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9bac6123-c800-4ddc-af03-c9e4f7e0e972/dyson_ball_animal_2_plus_bagless_upright_vacuum_cleaner_755.pdf
    • http://jezevenakos.myartsonline.com/81808182784.pdf
    • https://814cba0f-f649-4223-bfe6-7884e6e02b9d.filesusr.com/ugd/c1108c_8b823e3d4fd14786aa8e60415f8fe2f2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1e264339-1d32-4ac0-80f4-bdd4dd0fa7d0/which_bible_translation_is_considered_the_most_accurate.pdf
    • https://uploads.strikinglycdn.com/files/4c562d72-c357-4197-8d21-099d5d76e578/la_catedral_del_mar_2.sezon_ne_zaman.pdf
    • https://uploads.strikinglycdn.com/files/f5603df5-a4da-4da0-96bb-ee17838ad8b5/baxemidevefuwinezipoxu.pdf
    • https://1fa67a36-2e8b-44cc-a955-751d80433762.filesusr.com/ugd/d85e51_21be11f7aec9481e8758fef36e76c4ec.pdf?index=true
    • https://0a497e50-07dd-462d-832d-d8678f741a8e.filesusr.com/ugd/5f857b_4fd895c531ab4d53bd8be7db381010a6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bed74e3f-2132-4b91-9baa-041082bc043f/mlk_letter_from_birmingham_jail_summary_sparknotes.pdf
    • https://uploads.strikinglycdn.com/files/348cd9b6-e5c5-4086-9359-e7bf4f277cd5/barrons_essential_words_for_the_toefl.pdf
    • https://uploads.strikinglycdn.com/files/1f7412ae-7a40-4ae8-b67c-e03f83bb63b3/18222500328.pdf
    • https://uploads.strikinglycdn.com/files/958a95bb-da82-4f0f-94ee-02b0eb0d8bf0/how_much_do_ski_lift_operators_make.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5b5.bin
dd6af8ff97a64606796a21df7a8c9d2280d878a35a8dd67315f70b0c3daf5abc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5B5 5340 bytes
font_01_sfnt_off0000f7e2.bin
5173a24ece1ed6074799642975046cbb32ce5129b8a699ef02419b23f3c3eac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7E2 11376 bytes
font_02_sfnt_off00011e52.bin
78247699ea725f899009aa762b323b068484dfb2d4f2b7974ae1abf5fb15e3e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E52 6076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.