Malicious PDF — malware analysis report

Static analysis result for SHA-256 678fa92c74ea28dd…

MALICIOUS

PDF

77.3 KB Created: 2021-03-23 21:27:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f49c73d5c245edd1ccfa525abbe91ded SHA-1: 25c8a0e5132bd3c93a616777645441e939e16b79 SHA-256: 678fa92c74ea28ddfa7ebb8876c8197621e4f78bd29adaa2a64827fe5b2cc53f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to disposable hosting, indicating a link farm or SEO manipulation tactic. One prominent URL, 'https://kuzutuzo.ru/strik?utm_term=evh+5150+iii+50+watt+6l6+head+stealth', is flagged as unknown reputation and is likely the primary malicious destination. ClamAV detection and ML classification strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=evh+5150+iii+50+watt+6l6+head+stealth
    • https://cdn.sqhk.co/duxisabaza/ii0ics7/fepaxezuwelupokikulun.pdf
    • http://aycotoro5.xyz/29724108302s7sxt.pdf
    • http://shoop-fn.ru/what_are_human_valuesma9bj.pdf
    • https://cdn.sqhk.co/xezufulozuwo/tuifiaf/walmart_grocery_free_delivery_coupon_code.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b88611b2-74d5-480e-9dcd-ce09d318fd88/que_significa_soar_con_que_se_caen_los_dientes_de_abajo.pdf
    • https://11e0ccb5-01dd-4757-ae93-f6f3b4f5ca32.filesusr.com/ugd/1a2ce6_9c5c0bfafc6045e3b2cf3b1f8cd34058.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2bf55f6d-f03a-47f9-a32a-41d50215a5db/nisebevineg.pdf
    • https://123949be-7110-4ba3-a240-a7df06fb38ce.filesusr.com/ugd/80fd5d_5277c797626c471dae91aaf405f960d6.pdf?index=true
    • https://s3.amazonaws.com/tometubufimopim/metropolitan_area_network_information.pdf
    • https://uploads.strikinglycdn.com/files/27b96367-44c0-42be-8f1e-ac172c2aab93/8824606044.pdf
    • https://s3.amazonaws.com/remeranexe/whatsapp_status_hdvidz._in.pdf
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_0efbe38f5c6047b6b69ca6002e46bbd1.pdf?index=true
    • https://d0275d90-c5b4-4c72-b581-d0e2b62fc6dd.filesusr.com/ugd/ee54da_9958d292682946e0b40680f1fe112d9d.pdf?index=true
    • https://37e79482-e567-4eff-b449-6ea9b90d4679.filesusr.com/ugd/cff0cd_96c221f89abc401ca51ab5b5ad2f9318.pdf?index=true
    • https://0ddd2631-58c7-464c-86d0-a5d1d8121c04.filesusr.com/ugd/301b85_33a22456d3d7498ea71b96a93dbfa39e.pdf?index=true
    • https://s3.amazonaws.com/moduxanakuri/dinuvunemejari.pdf
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_0bc0603b762140d3afe3c17a4277fbf8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebcf.bin
615db952591d1295b6fec8c8d9fc06b0d8d5e1bba1017a15949b1005bbe6a92c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBCF 5396 bytes
font_01_sfnt_off0000fe49.bin
63a062a930abe12d7f29fbebf9dafb1a14ba334ec967a9feb0b12cfb0d5d8681		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE49 11908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.