Malicious PDF — malware analysis report

Static analysis result for SHA-256 4feeb6e7a0b768e5…

MALICIOUS

PDF

122.9 KB Created: 2021-03-19 22:59:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: c03921dce07e349af11717c5c305bbef SHA-1: bb8876f4e4aad6b32a0cc9168e29d5c9f107b9ec SHA-256: 4feeb6e7a0b768e5d260a280253621a00b3234b55f92abce0e8d1d1b23c5856b
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, many pointing to disposable domains, which is characteristic of a link farm designed to manipulate search engine results or redirect users to malicious content. The primary URL identified is https://soxebez.ru/award?keyword=ghazwa+e+khyber+in+urdu+pdf, which appears to be part of this SEO-optimized link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=ghazwa+e+khyber+in+urdu+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4411921/normal_601bc5ffe5537.pdfIn PDF document text
    • https://warolola.weebly.com/uploads/1/3/4/6/134600536/kukufowis.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4366325/normal_5fcb75c51279e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450728/normal_5ffea44eecd6b.pdfIn PDF document text
    • https://cdn.sqhk.co/zejegure/Tje0Ujh/37099634975.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466662/normal_6012b3680f651.pdfIn PDF document text
    • https://cdn.sqhk.co/repejuvovod/aSMSQoQ/dinoland_play_centre_aldi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423728/normal_5ff7653d5b5f4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4444110/normal_600a4ed79f992.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4444095/normal_60222154577dc.pdfIn PDF document text
    • https://tivositazevuzin.weebly.com/uploads/1/3/5/3/135349871/ba561569504ec.pdfIn PDF document text
    • https://vipinilanevam.weebly.com/uploads/1/3/4/8/134873552/fodinalilafilin.pdfIn PDF document text
    • https://fomimixa.weebly.com/uploads/1/3/4/7/134775862/malil.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495246/normal_5fd7d9eadfaec.pdfIn PDF document text
    • https://cdn.sqhk.co/godajaxox/ehi0Lie/28026085267.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4b60f43c-e6ff-475f-b420-1361b6c4db16/devuji.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97a9844b-c429-4f34-9a70-a5df677221db/fapulerojozumapok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0eb33d22-51c7-40ca-bd13-8119ab85b459/94670588094.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77661c8f-7fc5-40fb-a3cb-5cc593e83f85/how_to_determine_fracture_toughness_of_a_material.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc3bbf2f-1345-4b45-a60a-a40b44251445/zizetimerogatumov.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/767030da-d503-43b6-b35b-4292de17d678/dewezeta.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00f1977c-f6d6-4879-9f4a-d8b1e0f67513/death_note_ending_1_lyrics_japanese.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/987fa20c-d64e-4962-95c2-f7426d351bea/difetir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8bffb77f-054d-4d5a-a1bf-fb5b099fd79c/cask_of_amontillado_analysis.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001a47c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A47C 30264 bytes
SHA-256: dc6996b03675d859688c4ed3afb2e0a832a7a7fa7ee84f6b5e76bfca730a4e37
font_00_sfnt_off000167d3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x167D3 5396 bytes
SHA-256: d94b0adbe8ed6554352b24c802e6439e55ac7cbee3300080f78c462abd86eed8
font_01_sfnt_off00017a47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17A47 13172 bytes
SHA-256: dcb9a7933176f62f33ea3eb1e28d4232663a4a92fcbb6164d7a9cc1f33bffe84