Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b83a00537c11fd5…

MALICIOUS

PDF

73.8 KB Created: 2021-03-22 16:00:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9841e4b1be173d91b440a3eea1105f4 SHA-1: 70cc1517a34171d94c35ae4b4a7cc532a75bae9d SHA-256: 6b83a00537c11fd5e72cb20183dbacfc5b216909b403b78bd0007353dfa0728c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, including one to 'jacksth.ru' which appears to be a link farm for SEO purposes, potentially disguising malicious content. The document body, though heavily obfuscated, contains references to 'zombs royale aimbot script', suggesting a lure to attract users interested in game cheats. The presence of many PDF links, some pointing to potentially malicious domains, indicates an attempt to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=zombs+royale+aimbot+script
    • https://cdn.sqhk.co/jipodipotaj/eiePjhT/knockout_all_bowling_pins_brain_out.pdf
    • https://cdn.sqhk.co/dixejetafap/hg9hejh/this_war_of_mine_tips.pdf
    • https://cdn.sqhk.co/fomezawelud/cvQgiii/30429123315.pdf
    • http://vash-komfort5.ru/xoral08zn0.pdf
    • http://g2am2e.xyz/boratenemajimunivnabt.pdf
    • https://cdn-cms.f-static.net/uploads/4453329/normal_604e49b5537fd.pdf
    • https://static.s123-cdn-static.com/uploads/4402014/normal_5ff7d4acc5631.pdf
    • https://cdn-cms.f-static.net/uploads/4481673/normal_6044f5362ba54.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/807b5cce-167a-487f-b2e0-e50f3ddbfffd/what_key_is_johnny_b_goode_in.pdf
    • https://104e0e48-a4c2-4a03-8647-06ef64d4e6ac.filesusr.com/ugd/e2c6c1_ae89f14e5e924f7295fe7417370db2a6.pdf?index=true
    • https://9e084d23-5bbf-42ad-98e9-fa9200f8584e.filesusr.com/ugd/4f663b_d8e650f7a3024774a1dfe75f0a8f3266.pdf?index=true
    • https://05491ccc-77c7-428b-9c25-74f2c6c50d4a.filesusr.com/ugd/d51d36_c7019c4a1dd3402d86a9e3b782abf2ee.pdf?index=true
    • https://7e073981-ad1c-4081-8dc0-76946ba36063.filesusr.com/ugd/c4f63d_0feadd039ef04fb7b241283220ecb2e5.pdf?index=true
    • https://6f8cb219-4830-455d-9ced-b55e65700e85.filesusr.com/ugd/fd30ac_cc0d1ba436a6487f9349fd62fbe3d356.pdf?index=true
    • https://02687da8-bf2b-436b-a8ca-82c6e04513a5.filesusr.com/ugd/e48f8a_535cb225422845428e2116b967de2a83.pdf?index=true
    • https://uploads.strikinglycdn.com/files/99f7749c-f306-4040-8cbb-2400c22cc278/51087076305.pdf
    • https://4900ecec-7ac1-411c-be2c-b077674085c8.filesusr.com/ugd/493135_e777876853f5473fab95a4eda4108111.pdf?index=true
    • https://c370dac7-4848-4fa0-a6df-94361299e8ba.filesusr.com/ugd/fa6303_ac315eb87f494483a76410874751e37d.pdf?index=true
    • https://39c3e2ba-dcb8-4bc0-9ed7-0058f02c59d5.filesusr.com/ugd/fd4c29_94e890160e5045e8abbb5c16f45426d1.pdf?index=true
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_8c83a1fb56724093b79a24e585bb42f6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3fe.bin
a7e109e90c50c49d281ba721ecef504466625e193bf624879f79a4f944f861f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3FE 5276 bytes
font_01_sfnt_off0000f5db.bin
5d9480ef7d38be8ee4734d274223be7f48129a0ba430bd7ece90f1b66688e147		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5DB 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.