Malicious PDF — malware analysis report

Static analysis result for SHA-256 4eecc25ed6a0ab45…

MALICIOUS

PDF

88.1 KB Created: 2021-03-23 03:43:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 268d1d045fe2e725d86bdedfb6442128 SHA-1: 7767592e0447206521de1f12a2788e047be4f149 SHA-256: 4eecc25ed6a0ab45ba2bc23a9edd48d24c73c7b37703afdcfd6ab8b3461064aa
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, with a critical heuristic identifying it as a potential link farm. The document body and heuristics suggest an attempt to lure users with urgency, likely to redirect them to malicious websites. While no scripts were extracted, the presence of numerous external links and the ML classifier's high confidence indicate a malicious intent to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=pmesii-pt+and+mett-tc
    • http://negimemexib.iblogger.org/kuvisubinuwap.pdf
    • https://dawopodesolapip.weebly.com/uploads/1/3/5/3/135327749/8891745.pdf
    • https://cdn.sqhk.co/vimibaja/ijn3Kgc/dufatozegewen.pdf
    • https://pozetegafikule.weebly.com/uploads/1/3/4/8/134857311/726ca.pdf
    • https://todijaxazifaro.weebly.com/uploads/1/3/4/3/134342800/d790be7f1b76.pdf
    • https://cdn.sqhk.co/dusawugivepo/Vkwijgi/artillery_meaning_in_marathi.pdf
    • https://lutowixo.weebly.com/uploads/1/3/4/7/134705225/720404.pdf
    • https://daxosunusopudom.weebly.com/uploads/1/3/4/5/134510034/6eaffeed.pdf
    • https://natumelazorog.weebly.com/uploads/1/3/4/7/134711419/defedawu.pdf
    • https://cdn.sqhk.co/wubunepan/kyPIrD6/wemipedu.pdf
    • https://zepitobazelaki.weebly.com/uploads/1/3/4/6/134619491/lunitoduzosakuduvuno.pdf
    • https://jomupalekiloja.weebly.com/uploads/1/3/4/3/134310494/edc7cb7.pdf
    • https://ziduxibuzogegu.weebly.com/uploads/1/3/4/0/134012824/newibideled.pdf
    • http://duduzojezojak.22web.org/capf_assistant_commandant_2018_syllabus.pdf
    • https://cdn.sqhk.co/kikepedu/YXhhhiE/tiny_army_game_online_play_jio_phone.pdf
    • https://cdn.sqhk.co/reriwoduriju/Kokgije/50993042886.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_93e3cea951ec4352964836c86ca38e50.pdf?index=true
    • https://s3.amazonaws.com/fodose/audi_q5_2019_manual.pdf
    • https://s3.amazonaws.com/zagubip/34879807903.pdf
    • http://zisubaripuxiba.epizy.com/white_background_hd_images_free.pdf
    • https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_5c6993420a714180a6ab855e472ebb65.pdf?index=true
    • http://vawobalen.epizy.com/wasupodapebimi.pdf
    • https://s3.amazonaws.com/gebukil/online_video_converter_software.pdf
    • http://tuzikido.epizy.com/architecting_cloud_computing_solutions.pdf
    • https://2cfcb734-ec62-4cd9-b61c-03d4762ad765.filesusr.com/ugd/a891c0_7e1b6d053eef4d8c810b7ee2ceeee2ad.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011bb3.bin
7f9bf003408e673b3d9c4e24b4937caac289280ba1360d3f8f84c11ccc995800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BB3 5124 bytes
font_01_sfnt_off00012d18.bin
eb9e1293e9213a881133038adc2c79fccd59c34d2003745e58f3ef6e700c145d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D18 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.