Malicious PDF — malware analysis report

Static analysis result for SHA-256 517d8d8b0d697efd…

MALICIOUS

PDF

85.6 KB Created: 2021-03-29 01:33:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2be9fa5765c9b1ad7bee9edb09b7ab68 SHA-1: e151e659db09b62b63739f044877ec744afa9b2d SHA-256: 517d8d8b0d697efd9728edf1e1859200c3dad2c641a1cf99da373b70906dc6d2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious by ML and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results, with one prominent URL being https://mezovuduw.ru/wix?keyword=los+originales+de+san+juan+mp3+descargar+musica+gratis. The document's content and structure suggest it is used as a lure to direct users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=los+originales+de+san+juan+mp3+descargar+musica+gratis
    • https://cdn.sqhk.co/surodamiz/jfhbny9/22035034979.pdf
    • https://cdn.sqhk.co/dotusabu/aiegeQF/cricket_wireless_hotspot_box.pdf
    • https://cdn.sqhk.co/nawafoxobok/hIihFji/lulezavopamuzejun.pdf
    • https://cdn.sqhk.co/vesagivara/Bhcgige/19754306176.pdf
    • https://cdn.sqhk.co/tezizejaropu/hcKghhi/basespace_er_update.pdf
    • https://cdn.sqhk.co/talokelom/6jh75br/anthills_of_the_savannah_themes.pdf
    • http://rewetuxavix.mypressonline.com/gafimajaxoboteredeli.pdf
    • https://cdn.sqhk.co/zimajigon/0gePNjh/gakero.pdf
    • https://cdn.sqhk.co/bemaxopig/qrLhc3l/15242052554.pdf
    • http://ronifibofizet.medianewsonline.com/wamusi.pdf
    • https://cdn-cms.f-static.net/uploads/4407777/normal_601dc35b5dd46.pdf
    • https://cdn-cms.f-static.net/uploads/4402503/normal_601b43713f690.pdf
    • https://cdn-cms.f-static.net/uploads/4368221/normal_6055be0f19427.pdf
    • http://mpvideo.org/fudizivepuakkul.pdf
    • https://cdn-cms.f-static.net/uploads/4451574/normal_60190e0ba0d25.pdf
    • http://tapozifokun.mywebcommunity.org/40119385888.pdf
    • https://cdn.sqhk.co/pelopuxi/gighehc/guwosejufuvidenexejo.pdf
    • https://cdn-cms.f-static.net/uploads/4387825/normal_603c5e5e27e9a.pdf
    • http://stat-index-co.com/zoveralewekimigituvibira6afzl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wareguw.atwebpages.com/fajapon.pdf
    • http://niwurekatexo.atwebpages.com/makkar_ielts_academic_reading.pdf
    • https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_cf84dc636e7346eaac62415e22e06d10.pdf?index=true
    • https://af0fe010-594a-4ec7-a26b-e2d78e33490d.filesusr.com/ugd/7d2910_a62c21ec3a754d8cb855014836d94220.pdf?index=true
    • https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_a7ed2bd9929745368ba7ba4435f517e0.pdf?index=true
    • https://cf075d60-af7c-4c71-a16c-5c8c125a9bb7.filesusr.com/ugd/cc03df_9c806eb61de949b796a2f8af0deb2a22.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8a1.bin
e01df08415243722625f229632f31b6b0925a2c4486541664985f47c9511da46		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8A1 5572 bytes
font_01_sfnt_off00010b85.bin
8b29e989a4bf5c18adebaaff5ef72b2c15dd8000ee48dfbcd8b66f06de31efc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B85 12052 bytes
font_02_sfnt_off00013309.bin
5570ae8fa562a837499aa87710aed0b2bc48f7e42481059dc68e183d0697d456		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13309 16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.