Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d438fca9b5b8ed1…

MALICIOUS

PDF

99.1 KB Created: 2021-03-23 05:39:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4887e1a2ff3f1566cfc90b6096044738 SHA-1: 329f610cc8c93ba2298a769381850092ba09f2e7 SHA-256: 6d438fca9b5b8ed130aca2c27354b559a8c03876544fa1a1a0eba592f8fe42d8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic identifying it as a 'PDF link farm'. The primary malicious URL, https://xezojetit.ru/wix?keyword=..., is likely used to redirect users to malicious content or phishing pages. While no scripts were directly extracted, the PDF structure and the presence of external links suggest an attempt to exploit users through a malicious document, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=%25E0%25B8%25A1%25E0%25B8%25B4+%25E0%25B8%2599+%25E0%25B8%259E%25E0%25B8%25B5%25E0%25B8%258A+%25E0%25B8%258D%25E0%25B8%25B2+%25E0%25B8%25AA%25E0%25B8%25B9%25E0%25B8%2587
    • http://wisagomojinux.iblogger.org/what_requirements_do_you_need_to_join_the_navy.pdf
    • http://naturagrush.space/562682087627mgox.pdf
    • http://fepotarugagi.22web.org/18._2_conjunctions_and_interjections_answers.pdf
    • http://gufutaca5.xyz/nifuvirefamumufirovonee431y.pdf
    • http://zufufamaz.66ghz.com/wanavokagojobajigivu.pdf
    • http://doordash.link/lifobodipaxaxiwuselefupekk9uyt.pdf
    • http://winoraama.site/what_are_the_5_basic_elements_of_communicationj6ebb.pdf
    • http://steblin.pro/how_to_build_a_manual_machineqx9pk.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jizubisetebof/logofetutenu.pdf
    • https://s3.amazonaws.com/voxulija/praise_and_worship_powerpoint_backgrounds_free.pdf
    • https://uploads.strikinglycdn.com/files/1a11905e-da8c-4a14-8409-150df20407ba/lisilix.pdf
    • https://s3.amazonaws.com/suxiweke/unclear_pronoun_reference_worksheet.pdf
    • https://s3.amazonaws.com/vawoginele/business_case_analysis_template_free.pdf
    • https://uploads.strikinglycdn.com/files/11b9f4bf-b1e2-48a8-ae43-b6d308010553/jifogulifudatejazimunat.pdf
    • https://s3.amazonaws.com/gafedupeba/44407044647.pdf
    • https://7fc1e5b2-1dd8-4457-9de2-3dea1ab9f589.filesusr.com/ugd/fedd61_984b86a7e11c40769f3193493dc98a51.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0c5ab9ca-218c-4523-970e-a7088063fe1f/algebra_with_pizzazz_did_you_hear_about_page_31_answers.pdf
    • https://uploads.strikinglycdn.com/files/c4cfa997-e1f7-4a9b-b34d-5ab83a087258/32555795230.pdf
    • https://uploads.strikinglycdn.com/files/460e03be-5534-4a07-8dcf-e5cfc65ea6dd/lewibates.pdf
    • https://s3.amazonaws.com/zatazewoz/java_de_64_bits.pdf
    • https://s3.amazonaws.com/lixisariwulo/bijunobizamawoni.pdf
    • http://sekijipaladi.epizy.com/scorched_earth_full_movie_free.pdf
    • https://d75bbb92-b0e4-4b50-83e6-2443e695523b.filesusr.com/ugd/bc73b9_978111e323724f938bae4b769b650f7b.pdf?index=true
    • https://s3.amazonaws.com/wixatax/what_is_kakashis_red_eye_called.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00012579.bin
e78276ca23946dc716afcc1d0bc27869d8d939eafc130498266f118ce0f90f3d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12579 18884 bytes
font_00_sfnt_off00010281.bin
8e72149c7ce3095aec9cecc072f8a515df207c00aebf785f12c4fc197e954f4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10281 4068 bytes
font_01_sfnt_off0001105b.bin
51fb5a907e528f9d65af73fb429c3f1646f757c8d5b5cc7818deaa9db052646c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1105B 7784 bytes
font_03_sfnt_off000157ef.bin
bad469b0d42217da5b0f828fa3a1f02c50d60c8a7c865ae229b6a2298935da95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x157EF 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.