Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f48a8fa0e96d196…

MALICIOUS

PDF

84.7 KB Created: 2021-03-13 19:11:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bff0d0a28bf45673ca98470afd55ccd6 SHA-1: 9a2466fea2e7e5c3d49f4557a592f35b3b666260 SHA-256: 5f48a8fa0e96d196c1a460a3a3e1562baaaebfff5f6789471dd78fcee1e5187c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous external links, with a primary malicious URL pointing to a 'champion simulator script hack'. The ML classifier strongly indicates maliciousness, and the PDF structure suggests a link farm designed to redirect users to potentially harmful content. While no scripts were directly extracted, the presence of embedded URLs and the overall heuristic firings suggest an attempt to exploit users via a malicious link, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=champion+simulator+script+hack
    • https://goxatuzibifonev.weebly.com/uploads/1/3/0/7/130739188/fubuwunegimifu.pdf
    • http://ludshop.xyz/90530852154kwryo.pdf
    • https://gudetopop.weebly.com/uploads/1/3/0/9/130969639/4178580.pdf
    • https://nadunala.weebly.com/uploads/1/3/4/8/134877180/444569ba71.pdf
    • https://cdn.sqhk.co/tosobulig/0bMlgdN/simple_music_player_mac.pdf
    • https://zunudomulu.weebly.com/uploads/1/3/4/6/134604261/rewixola-mateduraw-vedufavagupup-xutiv.pdf
    • https://cdn.sqhk.co/medipevagopu/jniqidh/us_police_motorcycle_gangster_chase_bike_games.pdf
    • http://nominasacra.ru/fewakolata4cobw.pdf
    • http://sdfafq.info/what_is_the_definition_of_the_word_sephiroth163vx.pdf
    • https://fomoxejuj.weebly.com/uploads/1/3/4/0/134000143/papufe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_7e352f52f696419084e53da3fbbce53c.pdf?index=true
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_1d9c7c71b7674e8c85a07cde86b11ced.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cac75b49-65ff-41a7-9c06-e436920ffabe/dell_34_u3415w_manual.pdf
    • https://26f2e344-8444-46ea-90c9-5a893bcc2fb3.filesusr.com/ugd/b8c837_808bfa6ee25240959b419aacb73f677c.pdf?index=true
    • https://5a8aee2d-3d68-4c09-98ed-743c9c56d6fd.filesusr.com/ugd/460efe_4e6606b633124eb083ac6fa0b9769ac3.pdf?index=true
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_dacec43734a74c5ebef3c41f50de3ed3.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_14790159e11749e5ba6a8f4f4f844e11.pdf?index=true
    • https://235a1a37-2bc9-4d3b-8f1d-d3952ad9fba8.filesusr.com/ugd/3111f7_0dcdcaa399c9464baeebe8280ced572e.pdf?index=true
    • https://0fc0baf9-b884-4fcd-968e-f93c0f938930.filesusr.com/ugd/68ec51_495c3ecb338840a39c8ce82251954d79.pdf?index=true
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_75361919ad72421e8846d7141a8ec50b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f5a66d3c-7e4c-45fb-a117-7a7e6e21e117/les_trois_mousquetaires_film_1961_streaming.pdf
    • https://uploads.strikinglycdn.com/files/6bf1419e-5b1c-4cea-a2f2-f7f6c2c4668f/pewelixobekuzifizanureg.pdf
    • https://uploads.strikinglycdn.com/files/393d8934-6776-45e0-a46a-60af07aa5a4a/domiretoj.pdf
    • https://9cfe8934-cc69-4f76-a0d0-2e9849ea4530.filesusr.com/ugd/fd9558_c41e1346e5d44de68bfa1430afbfdb79.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb61.bin
ace74d08a28f66418cbc15324f0da1963a346feb7545162d6cafbfbf9e1a089c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB61 5144 bytes
font_01_sfnt_off0000fca2.bin
1c442759b2948b5941339722fd83a5616370c3c74fe41922a0870ffa35effa67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA2 1736 bytes
font_02_sfnt_off00010540.bin
38b5e18783890c3544c58909413a51745aae71f5b249ea77ba8ab51018081f20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10540 12744 bytes
font_03_sfnt_off0001300e.bin
050cca2678d7435c270027ff58d84efa212ea3c5592871ae9bdc0d1e185112d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1300E 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.