Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a86134b740a6bd2…

MALICIOUS

PDF

69.4 KB Created: 2021-03-28 18:22:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ea0fa59db25852993cc398c3bbf04575 SHA-1: 2a925bac83a531ab3c8dc5b8af7e22e72a790de4 SHA-256: 7a86134b740a6bd20d96d38868278a036bcb35b3e3c91ba54d5f90ecb04376a2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a malicious link farm, with numerous external URIs pointing to potentially harmful content. The primary malicious URL identified is soxebez.ru, disguised as a financial confirmation template. While no scripts were explicitly extracted, the PDF structure and embedded links strongly suggest an attempt to redirect users to a malicious site for phishing or further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=isda+fx+swap+confirmation+template
    • http://teksalle.xyz/pedivb8xvp.pdf
    • http://usacreditreport.info/ninesogovu5xgdk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a98f38e8-5810-4fc9-be6a-c3d78c7c4f9f.filesusr.com/ugd/921909_0c01ea2c7f314c36a1e8f75e845c65cf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d368635f-5457-460a-a5f7-67514f80dc5c/mcculloch_pro_mac_610_repair_manual.pdf
    • https://uploads.strikinglycdn.com/files/ce11b8ca-11bc-4aa4-81da-b82beaf8088f/kenmore_microwave_model_721_parts.pdf
    • https://uploads.strikinglycdn.com/files/41c55a68-c912-41d1-94f7-0871f4784308/para_monitorear_redes_lan.pdf
    • http://degejukifukux.epizy.com/weradoxelagolewutadegoze.pdf
    • https://uploads.strikinglycdn.com/files/8789810d-8c7f-4717-a813-1566529ba486/dwarf_fortress_release_date_steam.pdf
    • https://d992f69e-bc5b-430a-92d7-abfd66d0380b.filesusr.com/ugd/6f7357_9148096816494c64b2d5082d6fb65c59.pdf?index=true
    • http://zevideto.rf.gd/google_calendar_per_pc.pdf
    • https://f6ea5e03-7e7c-4dce-82ee-fd5d223759ef.filesusr.com/ugd/d203ad_e3cab0b07f2e42b68f8f64ce4cb22805.pdf?index=true
    • https://71bfc0c6-4bef-405a-aee6-9e9dcaab3d12.filesusr.com/ugd/708cfd_c0c730800f1044e3ac583363513a5472.pdf?index=true
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_b100a2a32bcc4cf79de996a3cf171645.pdf?index=true
    • https://1e1f235d-56dd-4976-b20d-d38e3fe7b172.filesusr.com/ugd/210b45_d4505aea1f654531aff3c2ae5559b20a.pdf?index=true
    • https://05b56818-8b0b-4484-a411-4f1234233f1c.filesusr.com/ugd/e49726_097fa18f09af47679476a335a7b00840.pdf?index=true
    • https://71e5fc8e-cc9a-4633-96c3-2c70acd464d0.filesusr.com/ugd/f08e01_fab51b575f9f4d379a4933b9ea799d6a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b6341810-8557-4227-8a51-8068499ea964/but_now_were_stressed_out_remix.pdf
    • http://roruvavaderej.epizy.com/4441848925.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d460.bin
335b2731510059d818b5c5642eef683426371e228a960a35cb4acde4f083e896		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD460 5396 bytes
font_01_sfnt_off0000e6bd.bin
d70f3c3215c87df3095bb6336b7753b674a7fbe29b535c1a5f7d4b601ebec541		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6BD 9896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.