Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ca9f2f809bbb739…

MALICIOUS

PDF

112.6 KB Created: 2021-04-08 09:13:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 5fde389f7a54e11bfd68547b99b66963 SHA-1: 27fd80be3dcc4c0d7a8ec5f5d97c52ecc72c6bcf SHA-256: 5ca9f2f809bbb7392f555f303386b5c0e7706665c2bd47efd5c288c022625c82
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with one heuristic specifically identifying a 'PDF link farm'. The primary suspicious URL is 'https://kuzutuzo.ru/wix?keyword=whited+sepulchre+definition', which is likely used to direct users to malicious content or for SEO manipulation. While no scripts were explicitly extracted, the presence of numerous external links and the ClamAV detection suggest a phishing or malicious content delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9577

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=whited+sepulchre+definition PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4457570/normal_60304d3ee9f56.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368505/normal_6054d3ad9c543.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4489598/normal_6006751f44eb0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408476/normal_6069c7b7935e6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/fevobelijogal/reading_comprehension_questions_and_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/ronatiduzoxij/princess_dress_coloring_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/dosalapasenow/the_vampire_diaries_tyler_and_caroline_quotes.pdfIn PDF document text
    • https://s3.amazonaws.com/lukepepe/aprilaire_thermostat_manual_8463.pdfIn PDF document text
    • https://d86ad34a-7df2-4f47-937b-a12ab5abc0fa.filesusr.com/ugd/8cbfce_3f35c358fedc40a7a492b0b342959ee7.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nuvukivaxiren/ford_mustang_gt_horsepower_2020.pdfIn PDF document text
    • https://899154e9-876a-4ab4-94d5-c8ef2aed10f2.filesusr.com/ugd/dcf9ad_70fa620540b6478ab9d20851141a00c2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/donukadizolin/pathfinder_kingmaker_beneath_the_stolen_lands_recommended_level.pdfIn PDF document text
    • https://s3.amazonaws.com/vexosafugunu/filupelizodepinil.pdfIn PDF document text
    • https://598a1783-db1d-4ebb-96f5-d3ad23e1e090.filesusr.com/ugd/ae99eb_2ce96aeed1634d538c80de7f82c646b2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sulasatevirexo/do_you_want_a_nature_metaphor.pdfIn PDF document text
    • https://c534e673-b245-4a6d-8787-855fe96db707.filesusr.com/ugd/e19215_3af0d914f93d499d961abae07ca1d70a.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/toguvaju/pokemon_soul_silver_guide.pdfIn PDF document text
    • https://73099f28-10d5-4558-98a1-2f8dc61f1a2f.filesusr.com/ugd/f62eaa_80aeccf7b25b436e9d0fc854c4bced6d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lanorolowu/earth_google_maps_application.pdfIn PDF document text
    • https://s3.amazonaws.com/pulavokaxe/subudovu.pdfIn PDF document text
    • https://012a8781-80b6-4d33-8f63-56d56ef93f15.filesusr.com/ugd/6d3794_3b0ca023890f4a778df3f1195ef77172.pdf?index=trueIn PDF document text
    • https://d4f4546a-a836-4b3d-8651-c56b89608eca.filesusr.com/ugd/3e9e83_d01b0acfd67c458480dc898565c9fa8b.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off00017855.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17855 18176 bytes
SHA-256: e43eb858545a4d9b6abacc8c33ec9501d2ae64a4dc3cc092ef357486bb4e7a32
font_00_sfnt_off0000f0c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0C6 5684 bytes
SHA-256: caeed39893b82969c26dfcac95946a3fad4fbae0765b3ea81aa15456cfe783a6
font_01_sfnt_off000104a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104A1 4928 bytes
SHA-256: c2a2d20301e4283e5240a785dd5510b2c0fa3ba6713a7737ca84a50d9278ef34
font_02_sfnt_off00011564.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11564 2656 bytes
SHA-256: 1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178
font_03_sfnt_off0001206b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1206B 2328 bytes
SHA-256: 6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed
font_04_sfnt_off00012b21.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B21 2108 bytes
SHA-256: b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b
font_05_sfnt_off000134ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x134EC 6640 bytes
SHA-256: c8cb303e765c67f43d6d34f29c1d02953890772ff7b697be779fb29335000f72
font_06_sfnt_off0001468b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1468B 16340 bytes
SHA-256: cf3b0a69cb731db6a563b362be5c7ff089a66cdb94e408cef5f511265ad06585
font_08_sfnt_off000194e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x194E9 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e
font_09_sfnt_off0001a2f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A2F3 3276 bytes
SHA-256: 333cf0bae5291019b79d77a37696b89786718dc77a0e6f1c7356514a48765311

Open this report in the interactive analyzer, or submit your own file for analysis.