Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f0897d54c851595…

MALICIOUS

PDF

82.5 KB Created: 2021-03-29 08:59:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 228e3a727642386e0c33729eaf47a351 SHA-1: 16a731d28649c20db1229751363d60f49a5ed94c SHA-256: 4f0897d54c85159504c5922a05edf3fc95dee35cf9b6a4c649bbcb4a31768e49
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable domains, suggesting a link farm or SEO poisoning tactic. The embedded content, though heavily obfuscated, appears to reference cracked software, a common lure for phishing or malware delivery. The presence of external URIs and the ML classifier's high confidence score indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=adobe+audition+cs6+cracked
    • http://bimizuzi.sportsontheweb.net/causas_del_bogotazo.pdf
    • http://frukt.space/stumbled_across_synonyme5duz.pdf
    • http://girepodemaz.getenjoyment.net/best_text_editor_app.pdf
    • https://static.s123-cdn-static.com/uploads/4424646/normal_5ff57ee8ef1b4.pdf
    • http://cocobuka3.xyz/where_can_i_learn_graphic_design_onlinezce0c.pdf
    • http://fogejebimo.scienceontheweb.net/96064070936.pdf
    • http://ejinaya.com/nanumiliikudb.pdf
    • https://static.s123-cdn-static.com/uploads/4469643/normal_5ff22ce9bb859.pdf
    • https://static.s123-cdn-static.com/uploads/4379970/normal_5fdd8960e8ac3.pdf
    • http://wusozupu.mypressonline.com/central_limit_theorem_proof.pdf
    • https://cdn.sqhk.co/vamosopon/ihYjggh/86741446771.pdf
    • https://cdn.sqhk.co/guwuweri/YMGlii0/idling_to_rule_the_gods_drc_guide.pdf
    • http://helpcopyright-service.com/how_to_hard_reset_a_vizio_tv_without_the_remoteh49ki.pdf
    • https://cdn-cms.f-static.net/uploads/4470967/normal_601bb39503141.pdf
    • https://cdn.sqhk.co/kapokosop/mjhicic/oil_price_war_latest_news.pdf
    • https://cdn.sqhk.co/wabasenenem/ihigjgw/effing_worms_2_game.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://dc5983eb-04eb-4341-be6e-5f763cf8c8d0.filesusr.com/ugd/979c04_4e904180b85c400bb0a56399e427b0e6.pdf?index=true
    • https://61069a5e-3c5f-4884-a3c7-8c7552058b74.filesusr.com/ugd/0789d5_8da4bd51de8d407cb3c5b076133aac40.pdf?index=true
    • http://givetupazowo.onlinewebshop.net/39307067666.pdf
    • https://e590c0d9-b694-44fb-9862-47327b30d8b0.filesusr.com/ugd/89363e_90d14b8c59444e90a9ac73831161b865.pdf?index=true
    • https://b7af6bb9-01eb-4839-ab56-764651de4344.filesusr.com/ugd/2486b5_5cef9fa670004cf9a5c1001a64cb9e96.pdf?index=true
    • https://d09251a9-b09e-4077-8ccb-24037f005f7b.filesusr.com/ugd/a6ce17_7ee61828516649f18210e97bb9fdc612.pdf?index=true
    • https://a35b4eae-300a-44a5-b982-8d633984e519.filesusr.com/ugd/19735e_882c42e196974cf3bbbc4abe0c938807.pdf?index=true
    • https://68f2566a-c586-4d15-a5d1-3a72044c38f3.filesusr.com/ugd/ecec20_b555f772bc0748aba6a6f86290cae5be.pdf?index=true
    • https://37bdae34-bb2f-403f-997c-54a7c09d9c06.filesusr.com/ugd/dc98cc_31fe228ea9954ebdba8b193770a9e581.pdf?index=true
    • https://770ad53b-b55e-4e58-b1eb-3709f41304f7.filesusr.com/ugd/98e298_e8567339b7cf44e79224350c28211461.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f80f.bin
a070d610999cb1372152378ca3df7781d4af2caaf692c3f5ef7ba9a2ebb8dea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF80F 5248 bytes
font_01_sfnt_off000109f8.bin
ae1adc0d9bbc2e9970d9a1f144575aea3f9732ffa11b1abec84acf6f3199e11b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109F8 21812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.