Malicious PDF — malware analysis report

Static analysis result for SHA-256 8642572bf4ebb562…

MALICIOUS

PDF

87.9 KB Created: 2021-04-01 00:03:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fcabf1ef05dbbc2a62a766a81ba551f SHA-1: 4fbb254b43d07a9b16a6a49fe62614624fd73e33 SHA-256: 8642572bf4ebb562ceafa1d1879b78618904df9ca6cd1a83c0d81aa2566fbee3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains a large number of external links, suggesting it functions as a link farm. One of the primary URLs identified is https://mezovuduw.ru/wix?keyword=hay+day+hacks+reddit, which appears to be a lure for potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=hay+day+hacks+reddit
    • http://copyright-infringement.business/51449000270d1pkh.pdf
    • http://yesnutural.space/kukibopuvumakamapukitezbjb89.pdf
    • https://cdn.sqhk.co/fakupavod/AMidjfa/wofumuzamatajuma.pdf
    • https://cdn-cms.f-static.net/uploads/4426571/normal_603bf05c5b9e6.pdf
    • https://cdn.sqhk.co/vakanaju/TggaiiY/airplane_flight_pilot_simulator_3d_free.pdf
    • https://lanasasaf.weebly.com/uploads/1/3/0/8/130815311/penijuwidare_negusi_kagaranebodad.pdf
    • https://jefiwosu.weebly.com/uploads/1/3/1/3/131379536/b281bbae2a887.pdf
    • https://mubuwevuli.weebly.com/uploads/1/3/4/5/134528176/vemaja-subovugenum-sedixe.pdf
    • https://cdn-cms.f-static.net/uploads/4408588/normal_602353ae9f2ab.pdf
    • http://weraka.online/de_que_trata_la_novela_la_iliadaqwmr9.pdf
    • https://cdn.sqhk.co/kuniremolu/gcjcrUB/top_10_rpg_online_games_for_android.pdf
    • https://cdn.sqhk.co/zuxafopagad/uidCxgc/teri_ankho_ka_kajal_song_mp4.pdf
    • http://nominasacra.ru/616062236949ytub.pdf
    • https://bovusobovazova.weebly.com/uploads/1/3/4/5/134596491/e29f00fa550e.pdf
    • https://vusekuzobogurow.weebly.com/uploads/1/3/5/3/135327372/kuvun.pdf
    • https://cdn.sqhk.co/ropimipaf/hgi2c4x/the_trip_to_italy_restaurants.pdf
    • http://feelslike35.com/life_without_education_is_nothing_sangon1ihg.pdf
    • http://antinomi.design/kenmore_refrigerator_model_number_253_sizeo8car.pdf
    • https://cdn-cms.f-static.net/uploads/4412575/normal_604d988fa6f3c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://0e098354-e5d1-4afc-9be7-763a70ae5e44.filesusr.com/ugd/ef253e_2004601eed1342d6a75172f40ca9fa70.pdf?index=true
    • https://83d7d1d1-3661-4158-a2cc-78aa4aa39d08.filesusr.com/ugd/163759_925770802f24483e863849aaf24fad11.pdf?index=true
    • https://81d89a68-18ac-4cf1-ad00-ddd5d2f7da41.filesusr.com/ugd/ed58ef_d1d5344bd9754f7ea92bba651cc89a23.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d5f.bin
8851a099d782985ac4b790623fd04f3e063cbdd0776292e05f93364722218fa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D5F 4696 bytes
font_01_sfnt_off00011d64.bin
f9ca32520d01ee9d549c955daf7a306d1b1948a9f1da3799f554b0739b12aa7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D64 11224 bytes
font_02_sfnt_off000143c1.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143C1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.