Malicious PDF — malware analysis report

Static analysis result for SHA-256 772201e4e82003a9…

MALICIOUS

PDF

79.2 KB Created: 2021-04-02 16:20:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82b82d627861845d10cdfe497aa517cd SHA-1: 59c72b82d6fd85042d64a42e0f598b2e531bf655 SHA-256: 772201e4e82003a9d30f5e1b5144ebef96840cae99b28b920e18905ec6dcaf9c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic flagging it as a 'PDF_SEO_LINK_FARM'. One of the primary external URIs, 'https://xezojetit.ru/award?keyword=learn+binary+code+programming+pdf', is suspicious. While no scripts were explicitly extracted, the PDF structure and the presence of embedded URLs suggest an attempt to redirect users to potentially malicious content, aligning with phishing or malware distribution tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=learn+binary+code+programming+pdf
    • http://ruszaimclub.ru/bexunejifategololag8wv8b.pdf
    • https://static.s123-cdn-static.com/uploads/4380530/normal_6007c55432c1a.pdf
    • http://baffer-shop.space/lagimurawipiv90vxp.pdf
    • https://cdn-cms.f-static.net/uploads/4459025/normal_600f9edd2f3d3.pdf
    • http://priz24.site/85361178263lz097.pdf
    • https://kewetarutedur.weebly.com/uploads/1/3/0/9/130968996/lepumiwiweliji_telagade.pdf
    • http://bcpzon4segurabetaviabcp.com/ucanaccess_jdbc_driverx90a5.pdf
    • http://erethiztzj.space/mifud8y6rj.pdf
    • http://tehnopolis.org/miwosulorowilujatataloiq09h.pdf
    • http://pek-24.cc/37259841604np3d8.pdf
    • https://pulamawuba.weebly.com/uploads/1/3/0/8/130873907/9685617.pdf
    • https://mijutadozas.weebly.com/uploads/1/3/4/5/134590660/3729309.pdf
    • http://stav-games.ru/the_essential_life_book_australianeulz.pdf
    • http://f1l3download.site/64402843178l40fr.pdf
    • http://getyourscore.info/75191906879kdhhf.pdf
    • https://static.s123-cdn-static.com/uploads/4380393/normal_5ffb22f546aba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/40909b06-ec7f-4566-9241-0aa55f28ea17/where_to_donate_clothes_and_household_items_during_covid_19.pdf
    • https://uploads.strikinglycdn.com/files/99a2c1ad-96b7-40b3-81e6-2766d498b0bb/how_to_sew_designer_dresses.pdf
    • https://uploads.strikinglycdn.com/files/1f68a0bc-22be-4f95-b024-7d9c176dc6fb/how_does_density_affect_gravity.pdf
    • https://uploads.strikinglycdn.com/files/1175d3dd-f54b-4f68-acca-a19ed454a93f/arkansas_drivers_permit_restriction_codes.pdf
    • https://uploads.strikinglycdn.com/files/df8adff4-2978-49c3-a07a-2896e2501319/sirixuvosuliradinono.pdf
    • https://uploads.strikinglycdn.com/files/8be0178a-2096-48a9-9095-6cbe145fb363/call_of_cthulhu_6th_edition_character_sheet_fillable.pdf
    • https://uploads.strikinglycdn.com/files/e24270eb-4aef-4dbe-a8fa-957ebea3583c/migavewez.pdf
    • https://uploads.strikinglycdn.com/files/3b9bbca7-7346-49b2-acb2-d0781b6db09f/simpsons_myers_briggs_infj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f780.bin
174105913ba08ebb85bc408fd8b6ba6fa5f17d86c58dfa0d630c4bf1210c4507		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF780 5448 bytes
font_01_sfnt_off00010a03.bin
7f8cab8f25a8523860a53f90a32ea10d2fb1b49eed41dd47cb90854db0cad577		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A03 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.