Malicious PDF — malware analysis report

Static analysis result for SHA-256 76ad7b66496c9f88…

MALICIOUS

PDF

91.6 KB Created: 2021-05-24 11:33:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: f17ce3f764cf57ae9edc60c97d73ba41 SHA-1: b2094539eb38fcfd7985a2784229746d3e3be90d SHA-256: 76ad7b66496c9f8866e35cfa18c2260f1bfaa01342066412806baa76012de7dd
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO poisoning or redirecting users to malicious sites. One prominent URL, 'https://golowaki.ru/strik?utm_term=pokemon+x+and+y+cheat+codes+citra', appears to be a lure, suggesting the document's purpose is to drive traffic to this site. While no scripts were directly extracted, the PDF structure and the presence of many external links indicate a likely attempt to exploit users through deceptive content.

Machine Learning

  • Nyx PDF Classifier clean score 0.1420

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=pokemon+x+and+y+cheat+codes+citra PDF link annotation
    • https://jezaborerokifev.weebly.com/uploads/1/3/4/3/134392790/gisowifuxuvuz.pdfIn PDF document text
    • https://dekodisiga.weebly.com/uploads/1/3/6/0/136051758/e4ff6bf7324451e.pdfIn PDF document text
    • https://lekomitigukajar.weebly.com/uploads/1/3/5/3/135345412/gizikinabiberajawizo.pdfIn PDF document text
    • https://degevibuv.weebly.com/uploads/1/3/5/3/135316410/6756532.pdfIn PDF document text
    • https://bijivabaj.weebly.com/uploads/1/3/4/6/134601785/520c728889a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e71dd7a3-a76c-4108-b45c-591bb7dae7da/blank_board_game_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0f56f4e3-067d-4e70-9d30-72c9ea262d3e/ninja_blender_1500w_how_to_use.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/99b3f528-7b6f-40ba-ad7c-6936d46bfc2b/the_red_book_jung_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ab18696-2310-450a-8684-46ebc53575ba/6207947621.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d34d3a14-6625-4a3a-b18e-3d3d7f625688/33862951820.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2040512e-546a-4024-8748-c4ce71d4b039/39546915735.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c09e5f32-6c14-41da-8852-cd55fec036ce/62914892812.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c611f1a7-2f9c-4022-86d4-56ee09eb4bf4/59888176797.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b418191-823a-4821-81b4-31d88914844d/how_do_you_describe_tone_of_voice.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06470c22-36fa-45e8-a745-36902e671350/62960280582.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b193540f-b41b-48e1-b491-a546548ee950/functional_independence_measure_certification.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bd66995-2e08-4b5c-b4e2-230d8a78d649/33410756201.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ce62c1f0-afe6-401e-bb38-81aad5a2c51c/how_to_use_omron_intellisense_blood_pressure_monitor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c54737d2-8296-414f-b545-d3fa6d895955/12665640892.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17cd3691-5bd7-4929-a8c2-e5378c643ecf/95528749907.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08d3aced-c119-41f8-a1d5-d81046ecdbd0/jalugakagotabatisi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d43a470a-0002-4092-b397-f20dd892ad5b/die_unendliche_geschichte_film.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d2b6944-12fb-4f5c-a2db-8ee694652044/htp_candle_wick_chart.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81f045fa-deef-40fc-9910-213338c7fc7d/95545219169.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012e5d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E5D 5384 bytes
SHA-256: e2cba82e5bccccc403555f27c148c11adae501028758f0aae56d168ee8ce4e3c
font_01_sfnt_off0001408a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1408A 12360 bytes
SHA-256: 893695bb1e3df95808bab1a9960b9ec0a8f7e86f5e2f009f6e0e8e57cd5bfdf3