Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e829a8300170d16…

MALICIOUS

PDF

82.7 KB Created: 2021-03-24 03:26:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68b6060ea533b6a366f9977dc23aa363 SHA-1: 556eb12f850c19fa5b3f6d277ac22b25920acfdf SHA-256: 6e829a8300170d160ed1e91e18aff318f026f7ac319a0d00d0e14cc027fdea73
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with one prominent URL pointing to 'lozipotod.ru'. This suggests a phishing or malware distribution attempt, leveraging SEO tactics to appear legitimate. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or trojan delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wb?keyword=music%20and%20movement%20activities%20for%20preschoolers
    • http://procripton.com/au_clair_de_la_lune_sheet_musicv2asx.pdf
    • https://cdn.sqhk.co/sogefuluf/geN8jb6/monster_hunter_3_ultimate_killer_beetle.pdf
    • https://cdn.sqhk.co/nutakurij/idPVGhi/74781334585.pdf
    • http://xarapover.mygamesonline.org/deep_learning_ian_goodfellow_github.pdf
    • https://cdn.sqhk.co/suxevevagova/uHjdhet/dragon_blaze_top_characters.pdf
    • https://cdn.sqhk.co/tisojubew/gYXNiii/criticism_of_contrastive_analysis.pdf
    • https://cdn.sqhk.co/gijosevozu/jtXBgeI/senate_race_polls_in_south_carolina.pdf
    • https://cdn.sqhk.co/saguregifu/gA5jbJR/cannon_shooter_motive.pdf
    • http://vbruti.site/65507483036zyv4g.pdf
    • http://gazedalepi.sportsontheweb.net/vocabulary_words_for_grade_1_with_pictures.pdf
    • https://cdn.sqhk.co/kivipemo/hhjdhid/43068504625.pdf
    • https://cdn.sqhk.co/lefidotoxono/aAieogi/vuxopaxa.pdf
    • http://cardioactiveuficiale.site/does_autozone_do_transmission_fluid_changey36yf.pdf
    • https://cdn.sqhk.co/dopiporajen/rjdagfA/machinarium_free_for_pc.pdf
    • http://mazisim.mywebcommunity.org/riesgos_psicosociales_en_la_adolescencia.pdf
    • http://prizinsta365.online/rovaxubawiwicubwx.pdf
    • https://cdn.sqhk.co/budajawisore/hibgcje/gumball_3000_route_2018.pdf
    • https://cdn.sqhk.co/fuvepelela/hjnl8gf/3d_movie_maker_game_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://ac3db616-04cb-40f1-8357-c67041f5e20c.filesusr.com/ugd/eda9ba_342392dea97c4d1fbc3e3472351b25af.pdf?index=true
    • https://3b044092-e341-4c69-a8e2-52b14fc1865f.filesusr.com/ugd/370021_791b331548334d489674c784fddd15cc.pdf?index=true
    • https://4adff18d-dc39-4349-be2c-eeb12737f1cb.filesusr.com/ugd/9117e0_616eb64d21ed4c0aaf8c421bc45d6bbd.pdf?index=true
    • https://a91873a8-1f5b-4151-915d-af39eb211f25.filesusr.com/ugd/3f80ec_755c20fba85441979518e1654d282d0a.pdf?index=true
    • http://davofunup.onlinewebshop.net/jozudikizun.pdf
    • https://28932ed2-21d9-4123-99cb-fcff0aac4472.filesusr.com/ugd/cc089a_8f3f547d8fd249498a10724022ac1771.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6d9.bin
86b58670c80701c14c24421417bf23c353bb910deacf0ac934283401196d9f8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D9 5344 bytes
font_01_sfnt_off000108db.bin
3c71763667da33f8ad8375eafadfeb0721b7e47ec590a0e4dbb2e69f5bafa245		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108DB 11256 bytes
font_02_sfnt_off00012f23.bin
ad623bc7c681097dfa1224999cf6cc6072d3ca9a137655dc1129b0261f0b357c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F23 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.