Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fcc9521deb98fac…

MALICIOUS

PDF

73.9 KB Created: 2021-03-17 06:33:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d5364b40fea0442faedde14a9e1eb0fe SHA-1: 7aedad78683ccdca4e86e1adbedb8a3f1e5070c0 SHA-256: 6fcc9521deb98fac9e3333cd37667d51a2285de8d84aef777c74df5db4e03f53
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing attempt. The embedded content, though heavily obfuscated, appears to be related to game cheats, likely a lure to direct users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=dragonvale+cheats+2020
    • https://pulisojoperun.weebly.com/uploads/1/3/4/4/134487891/9063407.pdf
    • https://dopitusorotid.weebly.com/uploads/1/3/0/7/130738794/zujizabumat.pdf
    • https://jomagikovire.weebly.com/uploads/1/3/1/4/131408086/nuseduwin_xujovemokaku_kivume_jujaxizomadobi.pdf
    • http://mirumumavetifun.mypressonline.com/take_five_numbers_payout.pdf
    • http://boforotaje.mywebcommunity.org/tizix.pdf
    • http://ripuvajuze.iblogger.org/examen_toefl_2020.pdf
    • http://lebojabufi.medianewsonline.com/zuwikuwopimumojeg.pdf
    • https://zefojakafi.weebly.com/uploads/1/3/0/7/130776787/1682568.pdf
    • http://lipuwisapi.mywebcommunity.org/agent_agreement.pdf
    • https://teliwunamadawab.weebly.com/uploads/1/3/1/3/131381891/benigokube.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jizuwugi.rf.gd/84882095761.pdf
    • https://95a83a18-022f-4aa5-9dc2-588eac4c5c4a.filesusr.com/ugd/ccb6ab_33e819d396954a13a55d57701b800050.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d0e820bc-5a3c-4c8f-9887-8ffdee2fe35b/61116394756.pdf
    • https://uploads.strikinglycdn.com/files/43fe7ecc-4d10-49be-83ad-805030a20958/d-link_dap-1650_wifi_range_extender_ac1200_review.pdf
    • https://uploads.strikinglycdn.com/files/e92b51a6-b9ea-4cdd-9c20-eba2c8ca6bd7/87145312751.pdf
    • https://a84030a7-2e48-4039-807a-383e2b7216cc.filesusr.com/ugd/c5d40f_802f5987f01e4e5fbb90e9176595b468.pdf?index=true
    • https://uploads.strikinglycdn.com/files/99da8255-7180-40f8-b503-f9197084be9c/we_dont_care_lyrics_demon_hunter.pdf
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_5943f60e0d1e4b5e90f5377db6779a01.pdf?index=true
    • http://vaguwiraji.rf.gd/87703545882.pdf
    • https://0e01c86c-6ad9-43de-bc04-b8819f410213.filesusr.com/ugd/73c254_93991905f94c49a69d1b7efc262c761b.pdf?index=true
    • http://rawigukegopafot.onlinewebshop.net/what_is_the_shortcut_key_for_display_properties.pdf
    • https://334e481f-4595-4613-8514-cf1b68b0f675.filesusr.com/ugd/a5bb32_8a04af1c617044739139aa99d216be5f.pdf?index=true
    • https://d670dda7-df53-4ef1-8eda-d3256df28744.filesusr.com/ugd/dbbbec_25507e76aefb473697474497603edab8.pdf?index=true
    • https://a181bb3e-7445-4f1f-a1cf-b2fe66c13e92.filesusr.com/ugd/91ce54_a8360b1a4bd84963993dd4fcbba622bf.pdf?index=true
    • http://junakaz.epizy.com/sintomas_de_retinopatia_diabetica.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e249.bin
058f80883a24a9579bf96c06ece9212221dc0ebc7eab63310711e4ce16cfe83f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE249 5396 bytes
font_01_sfnt_off0000f4ad.bin
20a1cb06d8d4a24b11c76d7148b19b746b0aef38cdce0ff04d6c43ab3b119974		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4AD 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.