Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f95ad852f669a58…

MALICIOUS

PDF

106.5 KB Created: 2021-05-21 12:29:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b3f737e3087add3564bf382e3deabe1 SHA-1: dabbcf05d1082a509d3d1304880ac96a04461220 SHA-256: 7f95ad852f669a58a2e5b017db6dc4a08e02fba4ca7fd11a35738924efaa2f24
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for phishing or SEO spam. One prominent URL, 'https://xezojetit.ru/strik?utm_term=dls+20+profile+data+unlimited+coins', suggests a lure related to obtaining profile data or coins, indicative of a phishing or scam attempt. The presence of multiple PDF links and the ML classifier flagging it as malicious further support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=dls+20+profile+data+unlimited+coins
    • https://surumovosutimu.weebly.com/uploads/1/3/4/7/134733284/3341714.pdf
    • https://rikumuxazomibib.weebly.com/uploads/1/3/6/0/136082685/lubifuwifi-nisodubem-dufinasixotu.pdf
    • https://banabujoro.weebly.com/uploads/1/3/0/7/130776007/fowejolola_fuwojupotibomid_wogejeruke_ginojimiwubofo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/bbc57c02-63b1-4ef4-925a-6857e2b0128d/momoxugenugogunuzuvefonos.pdf
    • https://s3.amazonaws.com/legapatatezisa/lugenumopapede.pdf
    • https://s3.amazonaws.com/zedudo/does_divine_healing_work.pdf
    • https://s3.amazonaws.com/gazijewevan/the_most_popular_songs_2020.pdf
    • https://uploads.strikinglycdn.com/files/12327b86-f598-437b-96d6-1f0246b5f375/telelizu.pdf
    • https://s3.amazonaws.com/xoguwavosuje/kindle_app_for_ipad_9._3._5.pdf
    • https://s3.amazonaws.com/kibavutibeved/how_much_is_martin_worth.pdf
    • https://s3.amazonaws.com/susonanezaj/64584665717.pdf
    • https://uploads.strikinglycdn.com/files/d5bc9fcf-ab61-4254-a075-e809916bbba7/car_repossession_search.pdf
    • https://uploads.strikinglycdn.com/files/206e4d97-350f-4074-9d6c-74af02b8cbe8/7356616196.pdf
    • https://uploads.strikinglycdn.com/files/770ceb9c-2302-4c19-8b06-5fe4726784cf/how_to_control_lg_soundbar_with_samsung_tv_remote.pdf
    • https://uploads.strikinglycdn.com/files/30324963-749c-4eab-8585-36c3a0c5b71d/fundamentals_of_microelectronics_2nd_edition_solutions.pdf
    • https://uploads.strikinglycdn.com/files/6332b604-16c3-4566-99d5-c3f96c81a247/33490303343.pdf
    • https://s3.amazonaws.com/davawina/3d_games_pc_no.pdf
    • https://s3.amazonaws.com/purawuma/quran_arabic_corpus_word_by_word.pdf
    • https://s3.amazonaws.com/serogajugomiji/pexabetunir.pdf
    • https://s3.amazonaws.com/fulosobezur/what_is_mgsv_definitive_edition.pdf
    • https://s3.amazonaws.com/vutame/python_basics_for_data_science_ibm_review.pdf
    • https://uploads.strikinglycdn.com/files/ba9d3d6a-5ae2-4278-b9a8-7f51eb2370f4/bafapukuwuvinaxanitasi.pdf
    • https://uploads.strikinglycdn.com/files/2abeff32-1732-467f-b246-a8c962cad4cf/fomamibido.pdf
    • https://s3.amazonaws.com/xijuxosisomuna/resume_template_free_word_file.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00016da9.bin
36f0ddb7ead3fbc2a4ee55a318569591db3333c81f5d8e6107553bc0ab8c483b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16DA9 19716 bytes
font_00_sfnt_off00012fb6.bin
13024de25d0787778a47764982a23e71c856f1d6d562a452ebc3343b3471cf96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FB6 5456 bytes
font_01_sfnt_off00014224.bin
b5c5dfda3dea8eedc338d19d8129dafa3fc0b4c19de87dd3139961f215d9797e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14224 13820 bytes
font_03_sfnt_off00018db8.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18DB8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.