Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a7f00d45a89f579…

MALICIOUS

PDF

76.7 KB Created: 2021-03-18 12:49:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d513962afc2f7c9b7f35c9fb298080d SHA-1: 746d58bc2d9fe656e3430f0a9a271f9e347fd050 SHA-256: 8a7f00d45a89f579c3d04388b1b5770cd927769b7a1ad8eddc36f9c0f3ed2489
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and a machine learning classifier. It contains a large number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or SEO poisoning tactic. One of the primary external URIs, 'https://resalured.ru/wix?keyword=2002+yamaha+v+star+1100+spark+plugs', appears to be a lure to a malicious site. The document body is heavily obfuscated, but the presence of external links and the overall heuristic firings indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=2002+yamaha+v+star+1100+spark+plugs
    • https://cdn.sqhk.co/tatidukigag/jahgkUn/76898452607.pdf
    • https://topasotasakaro.weebly.com/uploads/1/3/0/8/130874498/reradewirivikaka.pdf
    • https://cdn.sqhk.co/xagaxubibiz/whfgchc/devolalazevalorefuru.pdf
    • https://cdn.sqhk.co/zanemulazif/ijb8jgo/hit_or_miss_lyrics_new_found_glory.pdf
    • https://nasamokazefo.weebly.com/uploads/1/3/6/0/136049887/nusenebi.pdf
    • https://vamewufu.weebly.com/uploads/1/3/4/3/134317042/2416979.pdf
    • https://cdn.sqhk.co/feripamapuv/6Zi9cd6/who_dies_first_in_the_outsiders.pdf
    • https://cdn.sqhk.co/pimupigedu/iiighcY/yu_gi_oh_duel_links_download_mod_apk.pdf
    • https://kexawugidatenak.weebly.com/uploads/1/3/4/3/134338825/pojegakorixikoxi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_bb58aca411fb49708cf4bd2376e2dd12.pdf?index=true
    • https://f39f7cea-6337-46de-af4f-699959e6db0a.filesusr.com/ugd/004672_6a0bdb1c021943ec8388d615dbe76db4.pdf?index=true
    • https://91e55214-10ad-44cf-a10a-60a9392df58b.filesusr.com/ugd/e1c37d_01913299f9594ea2860b6b12e819b1e4.pdf?index=true
    • https://bfb79b04-db4d-4c54-a74a-4733ff68ceb9.filesusr.com/ugd/11291b_a937c21a68d54ed4a9c1978e07d3948b.pdf?index=true
    • https://ce322291-b3da-4cc2-ae0f-523e25daec44.filesusr.com/ugd/4530da_28dd207780a740b29a63e05d2aecaedf.pdf?index=true
    • https://80f75f89-a1e3-4611-a0ef-7a704eb82da9.filesusr.com/ugd/0286dd_517dd8f3dfee4298a48c714785089a33.pdf?index=true
    • https://a49aa754-465e-4bbd-924e-b3d0e7b66bd4.filesusr.com/ugd/81d6a4_b65bf76d923d4675ac38d67d0458b8ae.pdf?index=true
    • https://d497f082-4895-42de-a72c-038d9367c8a3.filesusr.com/ugd/8e727b_190d7800fd3344f69ef401f36802f1d5.pdf?index=true
    • https://97d49ff2-d914-4ae4-8ac8-5e5cf5f77cad.filesusr.com/ugd/6350c7_7890d3e25b854e3787feac9eb9dd3df8.pdf?index=true
    • https://62abf401-5fc9-4991-ac00-cb6a0c8cf8ec.filesusr.com/ugd/e4ff69_b24902ff575848d2bd0d67e72b0f8758.pdf?index=true
    • https://1b53f64c-3596-40ff-86ea-95cec8902569.filesusr.com/ugd/838e7e_286eef448e124d27a4b75707c20dfa41.pdf?index=true
    • https://cb6d8354-940b-4e05-9f1d-0150973ab277.filesusr.com/ugd/882da0_dc1b49509f1a4981ba37058d196b330c.pdf?index=true
    • https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_7374a455ede445f4a9afead1123cb9ad.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb8e.bin
b7ade616667b8513a7c7f99e33039ca6ea4577c7ca2b77f116d0b52851d4a786		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8E 5688 bytes
font_01_sfnt_off0000fed1.bin
43bcea4c7bea88f531a3e56b95e2f5d751dcc07e7c2cbc18624ca3ccfc750f9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED1 11224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.