Malicious PDF — malware analysis report

Static analysis result for SHA-256 67f1514c08077aa6…

MALICIOUS

PDF

69.4 KB Created: 2021-03-05 05:57:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 2906f2f5ff006cecd78a90af42ce28ea SHA-1: a4d667eedabe756686ac1905a48c8b771b82b9b6 SHA-256: 67f1514c08077aa6daa3a59f745d53e0f9ea7e060f3745f49195630e0cba933b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that directs to a suspicious domain, masquerading as a search result. The PDF also exhibits characteristics of an SEO link farm, with a large number of external links, many pointing to S3 buckets. The ML classifier strongly indicates maliciousness, and the overall structure suggests a malicious document designed to redirect users to potentially harmful content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/123?utm_term=what+are+the+four+weather+fronts PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4492278/normal_5fe24e40a2707.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476943/normal_60416689dea8b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385011/normal_6018db2cb542c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386365/normal_6019ca6195b03.pdfIn PDF document text
    • http://vewigufirenaw.22web.org/fubokugojawikewasud.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4460266/normal_5fcf9b7755613.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wunojipu/ariesms_gear_progression_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/wulagisi/37218061213.pdfIn PDF document text
    • https://s3.amazonaws.com/jepinebawo/jakir.pdfIn PDF document text
    • https://ab737b70-891a-4a1f-8db9-ee548211cb31.filesusr.com/ugd/ce14f3_bc365215156645f1b2083cec1d2a7bed.pdf?index=trueIn PDF document text
    • https://247e77cc-5367-4382-8586-7c5891409f42.filesusr.com/ugd/2dbf5a_0f14b5f9759546b295f42aa88ff1433d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jixeremipet/powefinifanobixuv.pdfIn PDF document text
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_baa6c06f52ed45b4bc404ba5d0531f2b.pdf?index=trueIn PDF document text
    • https://a68e2ff5-bf17-48e3-82d4-ceb975b85758.filesusr.com/ugd/760101_d215c9061cc844b69bced244e0d22c1a.pdf?index=trueIn PDF document text
    • http://femodizabofowu.epizy.com/android_tv_remote_service_app.pdfIn PDF document text
    • https://s3.amazonaws.com/bipepezuwed/brighton_and_hove_visitor_parking_permits_form.pdfIn PDF document text
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_26ab8b6de23a479585a0cde8eee1c4c3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jivuxo/dorelifibavomar.pdfIn PDF document text
    • https://s3.amazonaws.com/fotepopunaj/69458029896.pdfIn PDF document text
    • https://e5eb5b25-b33c-43e3-82d5-57ab1bf863d8.filesusr.com/ugd/b0c717_d0e801d795834ae787d910d1bfb5e3d9.pdf?index=trueIn PDF document text
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_3cc8e9e72536487e8fbfa21ab6437688.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jarawaxanivu/tektronix_tds3054c_oscilloscope_manual.pdfIn PDF document text
    • https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_e94177f5a3074a8a8b27dd9db5da16a5.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d509.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD509 4928 bytes
SHA-256: 5b86ff7843985c570233ce4ab8b71e50442f270f51d8897f9f080686d9e4a3e6
font_01_sfnt_off0000e5df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5DF 9972 bytes
SHA-256: 75a54ee05a40c3531bf94375f4d9d90712f845092ef7d4d08df9ce62f4dfd121

Open this report in the interactive analyzer, or submit your own file for analysis.