Malicious PDF — malware analysis report

Static analysis result for SHA-256 750db0bd82ef3ede…

MALICIOUS

PDF

80.2 KB Created: 2021-03-15 02:52:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84de8db828ac909ab3444370c201f801 SHA-1: 95341c8fbf1256fb81e812e9dad4e1ae3266c1d6 SHA-256: 750db0bd82ef3ede97436961d90af7aa2bed640c5119e18c4e7a68848c337377
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a link farm and an embedded URL pointing to 'xezojetit.ru', suggesting a phishing or malware distribution attempt. ClamAV detection as 'Pdf.Phishing.Trojan' further supports malicious intent. The document body, though heavily obfuscated, contains text related to an 'event guide', which is likely a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=lioden+july+event+guide
    • https://static.s123-cdn-static.com/uploads/4454277/normal_60061dac1f387.pdf
    • https://cdn-cms.f-static.net/uploads/4367281/normal_6033f020dc44d.pdf
    • https://static.s123-cdn-static.com/uploads/4410965/normal_5fed3231bf5e8.pdf
    • https://cdn-cms.f-static.net/uploads/4418001/normal_602cf58c849ba.pdf
    • https://static.s123-cdn-static.com/uploads/4393370/normal_6008f96c272ae.pdf
    • https://cdn.sqhk.co/nikazurokuv/iciegfD/globe_at_home_prepaid_wifi_antenna.pdf
    • https://static.s123-cdn-static.com/uploads/4405660/normal_6004508357979.pdf
    • https://cdn.sqhk.co/bijukipuj/6ih7Chb/37487789876.pdf
    • https://cdn-cms.f-static.net/uploads/4462730/normal_604507abcbbaa.pdf
    • https://cdn.sqhk.co/xolokenuw/gjTWnji/75503981118.pdf
    • https://cdn-cms.f-static.net/uploads/4422368/normal_60323d55749ee.pdf
    • https://static.s123-cdn-static.com/uploads/4474720/normal_6005eea55359c.pdf
    • https://static.s123-cdn-static.com/uploads/4489983/normal_5fe0389335906.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/448339d8-b2a4-4914-bea9-3d9b05870c0c/hbs_750_battery_replacement.pdf
    • https://7915398d-c9c2-4241-abdb-40cf742e4b8d.filesusr.com/ugd/d4df0f_6a13da21d4c94bd1af7b6735278cadbc.pdf?index=true
    • https://72cee60b-533f-4fda-9f40-87b1bb6f0553.filesusr.com/ugd/590778_4640d52a51624f9397f18399ac20d7a5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/29aee01d-d9f0-4102-8bea-0c892b5e6895/negakototup.pdf
    • https://4b4ea461-5266-411b-8735-d5290551f550.filesusr.com/ugd/7fedcf_9626a2bd426946148a4c9852976285f9.pdf?index=true
    • https://cc6d8859-fc08-4100-a073-55b48c5addfc.filesusr.com/ugd/238140_0fee94950cd646bb957a1d28644fecca.pdf?index=true
    • https://4cd5a77a-be8d-44ba-8952-4177873115c4.filesusr.com/ugd/930050_123a7d164c494953b5298d452a8999f2.pdf?index=true
    • https://7d14b3fe-44ab-47f5-a5a4-fb5d7998febd.filesusr.com/ugd/ba499c_a739937ced0f412e8cc477d906c469cf.pdf?index=true
    • https://78fc25e8-d533-4ec3-a480-3617e8cc0d4b.filesusr.com/ugd/aa5866_8cab4d6b90054dcb8e320c754c42af08.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc7665ed-3e96-4383-991c-2546428b53f7/38290933201.pdf
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_0a87e01e6999429581eacdd5ee9b8289.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc59.bin
b7ba50514bd7ad3d4900efd314753d288dd2005bcb0dded915c84f5db08b3f1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC59 4688 bytes
font_01_sfnt_off00010c7b.bin
f5131d7fac076168f668fb2d8afc96a899638c16ee1df6b499f6c9261a5b0158		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C7B 11440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.