Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ce3e658302f7ea2…

MALICIOUS

PDF

80.7 KB Created: 2021-03-18 02:01:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6afe01157b7f77fe7ad0d82ff805f23 SHA-1: 526f88d2c93ab596b9242d2091868575f38994e9 SHA-256: 5ce3e658302f7ea2f820c7ab6ae968549902fbdd81fc99934fe57dd3ada70231
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. The document body, though heavily obfuscated, suggests a lure related to 'Gmat mba pdf'. The presence of external links and the link farm heuristic strongly indicate a malicious intent to redirect users, likely for phishing or SEO abuse. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=gmat+mba+pdf
    • https://cdn.sqhk.co/jarixizotib/PoVjbz0/orange_gamestop_hours.pdf
    • http://zomolejefej.mywebcommunity.org/lowogijimage.pdf
    • https://cdn.sqhk.co/xovujiroveg/ew0ibyV/80817697725.pdf
    • https://xowafoxupa.weebly.com/uploads/1/3/3/9/133986725/fe4982e1172.pdf
    • https://ladifibefumuxuw.weebly.com/uploads/1/3/4/3/134353250/bimixopororalut_fujirademofus_teruladolutonoj.pdf
    • https://bigonokefexix.weebly.com/uploads/1/3/4/5/134518339/migutum-jadexobiwezojid-desejus-gosafaru.pdf
    • http://mapugukabazewu.scienceontheweb.net/xadugebokezifadovil.pdf
    • https://cdn.sqhk.co/xevoxotasopu/hN9jgih/44743349489.pdf
    • https://xubisimas.weebly.com/uploads/1/3/4/7/134769706/zefesesibev-ragusogapefuw-jesitoxivijuve-zulabanopife.pdf
    • https://cdn.sqhk.co/vemudumuxixu/rpHiajf/rainway_ios_14.pdf
    • https://cdn.sqhk.co/wuzexesetaba/3ghCsgd/36945467127.pdf
    • https://cdn.sqhk.co/wezupobuwab/ihVsIgg/animal_stack_3d_white_bear.pdf
    • https://fekanarikivokil.weebly.com/uploads/1/3/4/8/134884633/636791.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fd4ad98c-f08e-4a85-bd42-7cce5c236fca/barasutekurigeraworasuril.pdf
    • http://kugukokoner.myartsonline.com/prolink_wireless_n_extender_setup.pdf
    • https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_0e0cc6ab8f974e79b7789787115c2ce0.pdf?index=true
    • https://054d5c26-596f-48a3-87a7-0fc79031e5db.filesusr.com/ugd/599026_c96236458cb24c2c893bbecc9472c3fb.pdf?index=true
    • https://a97be2a3-bfb5-42de-bba9-b145341b31aa.filesusr.com/ugd/1f2860_593e3f6ac0f04948b286c0b03b80ede7.pdf?index=true
    • https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_9a5b42444b6b49278658189c5d89623f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef0148b4-3708-47f9-84a7-6e50e16916be/47024449760.pdf
    • http://suruliloxapesas.myartsonline.com/kisetuwupez.pdf
    • https://50b44c92-959e-4a15-bf83-93d6b2b518d6.filesusr.com/ugd/3ed44c_d3bae7f1ef974fffae3fbb2f4a38969c.pdf?index=true
    • http://wudemexa.myartsonline.com/dewubexoxawokenuxedefuk.pdf
    • https://uploads.strikinglycdn.com/files/a61aa3c5-1830-4664-bbd1-ba393a6b8456/mozepojemumevigiw.pdf
    • https://uploads.strikinglycdn.com/files/0aa6ebb4-71b8-470f-8865-fa3097c91181/xopotivololubim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fcef.bin
f921f19e4c06b21418f5b2e5bd3181f78256f81c7af0fb48f2edd3279e3ad503		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCEF 5052 bytes
font_01_sfnt_off00010e0b.bin
12cd3bfefece73f50096d15a3d0a28c0381be4da2879f203b82e4fe6b845fe98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E0B 11252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.