Malicious PDF — malware analysis report

Static analysis result for SHA-256 83dc43b30fad9b58…

MALICIOUS

PDF

87.1 KB Created: 2021-03-14 14:40:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f59df330b517febca6a1de3f54351bfb SHA-1: 511e0ed0abedd836d48547f1489b59647dd90ca8 SHA-256: 83dc43b30fad9b5852961e8106e583440a75874b3c85e211366efdb3ad0f4142
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a significant heuristic firing indicating a 'PDF_SEO_LINK_FARM'. The document body, though heavily obfuscated, contains text related to 'editorial photography' and the wkhtmltopdf tool, suggesting a lure to external content. The presence of many external links, including one to 'lozipotod.ru', points towards a malicious SEO or link-farming scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=types+of+editorial+photography
    • http://yesstore.pro/150127271911w8xm.pdf
    • https://cdn-cms.f-static.net/uploads/4488103/normal_6049e5a4bca70.pdf
    • http://pomirkapa.site/html_codes_freenjf0b.pdf
    • https://static.s123-cdn-static.com/uploads/4388412/normal_5fc78bdeeed31.pdf
    • https://cdn-cms.f-static.net/uploads/4480148/normal_6021cd1802737.pdf
    • http://brumbum3.xyz/what_does_a_full_360_meanv9e3f.pdf
    • http://sentytld.online/g_shock_watches_for_mens_pricekwwt5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/lekelepowo/9430100537.pdf
    • https://55d63786-14d6-44de-84d0-33f1fb383c44.filesusr.com/ugd/45fd81_d7ee5933c0d34c1eb2521bf62332607b.pdf?index=true
    • https://s3.amazonaws.com/xeropizuwe/what_is_aci_318-14.pdf
    • http://tizugixe.epizy.com/dotimofo.pdf
    • https://s3.amazonaws.com/kudefem/slip_sheets_for_pallets_uline.pdf
    • https://0dc5016f-38c0-4e11-84f4-4717e3ef4ec7.filesusr.com/ugd/4fd84c_fff1f0abb17744d8bdb6f43c9db6adbc.pdf?index=true
    • http://namavorudil.epizy.com/7898002258.pdf
    • https://460eb545-5389-4aa9-9e78-d1074a8bca0c.filesusr.com/ugd/21a131_ff5380fb7ea94cab9112573e796f7426.pdf?index=true
    • https://s3.amazonaws.com/genijusemu/maxigemefe.pdf
    • https://69c5641f-197a-42c1-bef1-daa502c1f1d7.filesusr.com/ugd/948cea_2460666b5fd04b54a437238c1ece7e5e.pdf?index=true
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_2af657fd326a4ea5915afd6636f28894.pdf?index=true
    • https://a121017b-3fb3-450c-9156-48dd71a9bf80.filesusr.com/ugd/07625c_fb885b4474d843d9acd4693af48a2ff1.pdf?index=true
    • https://50bf384a-eeac-4f26-a262-e2ba1a5e00ba.filesusr.com/ugd/17159d_4096a47604754c4db4fac87c7f3868c6.pdf?index=true
    • https://s3.amazonaws.com/muxozuvalubi/pebodixejoluxixozitedib.pdf
    • https://93bb5028-8b17-4c47-8ab9-f46a024b0e86.filesusr.com/ugd/041612_346d5c17beb54c12973fca30bd047586.pdf?index=true
    • https://27aa3d6a-fcc1-4574-a8e0-77dd5bf64dcc.filesusr.com/ugd/7683ec_fbe7b59878b848b18cbb94c9148abdfd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ba5.bin
532b9f4adc5ab99d80da6642dbbc7212607110f0049d12dd9c7512f030e75cbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BA5 5036 bytes
font_01_sfnt_off00011ce4.bin
205046ae5ceb014e26826b98230047348af6604a3ee46af81091a51615d5fa26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CE4 10580 bytes
font_02_sfnt_off000140f2.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140F2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.