Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ed0e7742c6ec2ef…

MALICIOUS

PDF

78.8 KB Created: 2021-03-27 17:41:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65bde600da1a96ce25ca694e55bbd916 SHA-1: b7f46e8ec41b950acb80da939dd9de4114ad6959 SHA-256: 8ed0e7742c6ec2ef2b11a00ee98c99138e73ff3d3557b5df08319dcfcf40de0b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, but one key URL, 'https://soxebez.ru/wix?keyword=pokemon+black+rom+apk', is associated with a phishing lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the structure suggests a link farm designed to obscure malicious destinations.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=pokemon+black+rom+apk
    • https://cdn.sqhk.co/buzomesil/eGXQheb/4_skill_1_heroe_mago.pdf
    • https://cdn-cms.f-static.net/uploads/4377704/normal_600a5e10cf179.pdf
    • http://jesusotes.22web.org/australian_cardiology_guidelines.pdf
    • https://cdn.sqhk.co/ladetozuxi/uieMLha/find_words_from_the_word_reality.pdf
    • https://wuselusovofose.weebly.com/uploads/1/3/1/1/131164562/pagemomasepe-puponiruk-vifalifoz-sowezuwejivuju.pdf
    • http://bulakirip.getenjoyment.net/82146136172.pdf
    • https://static.s123-cdn-static.com/uploads/4461249/normal_5ffe461d02476.pdf
    • https://static.s123-cdn-static.com/uploads/4420248/normal_5feffa84c998e.pdf
    • https://torurukiruxo.weebly.com/uploads/1/3/4/5/134529807/5020314.pdf
    • https://cdn.sqhk.co/zebimapajod/idE4big/pesokifekibamadud.pdf
    • https://cdn-cms.f-static.net/uploads/4405202/normal_605b9f38c15fc.pdf
    • http://fesupopimos.66ghz.com/41741212155.pdf
    • http://niwopofe.scienceontheweb.net/43531994185.pdf
    • http://sizoxuk.22web.org/badrinath_movie_video_song_hd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://49b821e7-ee7e-41b4-809b-d0417b8c1ddf.filesusr.com/ugd/927743_e2b6cf7e74a740d4b7b97e50251523be.pdf?index=true
    • https://e4da1597-3bb3-488b-9226-7c2c9e06e9ce.filesusr.com/ugd/db5d73_384c53dc4d9c46e7b73d2481c8f2db43.pdf?index=true
    • https://4b0cdf75-2e42-4830-99f1-bbdbaec3f661.filesusr.com/ugd/891219_67ab9e45dcfc484186ad96db42e1cea1.pdf?index=true
    • https://d1ee23ee-9ccf-45b0-80ef-1e1ff1f657c4.filesusr.com/ugd/9ef0c3_e4a552d324524555809652f9bdf90e29.pdf?index=true
    • https://933527c5-e005-4225-a3aa-05fee46c7696.filesusr.com/ugd/b51dd5_99a627f206214d82b724fffc8dcbb0a6.pdf?index=true
    • http://zavivemigowoson.epizy.com/lagu_katy_perry_birthday_remix.pdf
    • http://nokakegobowu.epizy.com/united_reformed_church_mersey_synod.pdf
    • http://gupizamowakop.myartsonline.com/job_application_letter.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed0c.bin
d54c4c14db54cc2c86b841aac51b0a8eacb834c9908546d2ac4741d168ea12c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED0C 5108 bytes
font_01_sfnt_off0000fe57.bin
1cc9700da18e3b85ff63e2a4767f29a419fadb7a3b45c17efc2149cff2ea05fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE57 20136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.