Malicious PDF — malware analysis report

Static analysis result for SHA-256 82ffd19e882aa6d7…

MALICIOUS

PDF

80.2 KB Created: 2021-05-25 13:23:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37b057b996c830d6902f133ddbadb809 SHA-1: 760e8b9c600640aa852a9bdf6b2facd72929cc53 SHA-256: 82ffd19e882aa6d756f296e8ae5f0c9e851a73e6cc01e676c83197347557c2ea
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. It contains an embedded URI pointing to 'xezojetit.ru', which is likely a lure to download malicious software disguised as emulator downloads. The PDF structure also suggests a link farm, potentially to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=pcsx2+ps2+emulator+for+android+apk+download
    • https://cdn-cms.f-static.net/uploads/4401712/normal_600fe88694bef.pdf
    • https://xapabareduvan.weebly.com/uploads/1/3/4/3/134395213/2904173.pdf
    • https://cdn-cms.f-static.net/uploads/4490370/normal_5fd67e6e25979.pdf
    • https://cdn-cms.f-static.net/uploads/4367914/normal_60195a873b634.pdf
    • https://pivatebovuwize.weebly.com/uploads/1/3/0/7/130775292/sakidi.pdf
    • https://static.s123-cdn-static.com/uploads/4449769/normal_5fc71d71376a9.pdf
    • https://static.s123-cdn-static.com/uploads/4392651/normal_6008fddade010.pdf
    • https://cdn-cms.f-static.net/uploads/4376087/normal_606d24902de48.pdf
    • https://cdn-cms.f-static.net/uploads/4457332/normal_600e86c6619b4.pdf
    • https://cdn-cms.f-static.net/uploads/4453108/normal_6010f5dfd5eb1.pdf
    • https://cdn-cms.f-static.net/uploads/4408324/normal_6015d8dcb93d1.pdf
    • https://vizefibamoraxob.weebly.com/uploads/1/3/4/6/134613498/juwamut-minef.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aa4a0442-377f-46d5-9ef4-b6de5ccb710f/jam_bluetooth_speaker_model_hx-p190.pdf
    • https://uploads.strikinglycdn.com/files/7960f10b-04fa-4bca-825a-ededf3854479/wirefaripuvogako.pdf
    • https://uploads.strikinglycdn.com/files/9bfeacc3-bd37-48a0-8ead-ea4fdf0db17f/98172896362.pdf
    • https://uploads.strikinglycdn.com/files/197f8b5f-0a8b-442b-9ef8-a1639739f417/why_is_there_a_red_light_on_my_directv_remote.pdf
    • https://uploads.strikinglycdn.com/files/d8d5d4ef-9c8a-438a-81ca-1000a622baa0/74308027605.pdf
    • https://s3.amazonaws.com/zufaxepixiguxax/how_to_check_the_log_table.pdf
    • https://uploads.strikinglycdn.com/files/9f5bd34e-c330-4bea-8c53-69f48e867786/54086768131.pdf
    • https://s3.amazonaws.com/fejififimaketo/g_shock_5302_ga_1000_set_time.pdf
    • https://s3.amazonaws.com/xifabilejilab/18807050109.pdf
    • https://uploads.strikinglycdn.com/files/f496e9a3-940a-418f-8f06-4ca063e8ed9e/what_is_the_book_acres_of_diamonds_about.pdf
    • https://uploads.strikinglycdn.com/files/febfe5fa-3c77-4a58-8cfb-fc197c03a8bc/piwupalovuvilimirejamef.pdf
    • https://uploads.strikinglycdn.com/files/be9b25e5-0a62-4fe7-906a-587721e74a36/knowledge_acquisition_in_artificial_intelligence_tutorial.pdf
    • https://s3.amazonaws.com/mejobu/rajutipatabusiter.pdf
    • https://s3.amazonaws.com/baxadelefofibuz/similarities_between_angiosperms_and_gymnosperms.pdf
    • https://uploads.strikinglycdn.com/files/37de8898-0cba-4912-898a-a4527a20b493/12129093895.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef6a.bin
752bfd795eb5e1f370f40c43c87a7a20b1df19580ce6d554bf26f23a4c98bdf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF6A 5656 bytes
font_01_sfnt_off000102ae.bin
10ffc79d30d431a3622435bb7f7b790881ce67711bfa58f530d96f7f33665707		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102AE 15600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.