Malicious PDF — malware analysis report

Static analysis result for SHA-256 905a9bec0abd903c…

MALICIOUS

PDF

74.6 KB Created: 2021-03-17 20:34:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 534430b0bad8d3b0402c146ff8d9eade SHA-1: aec5c8755fd3eff58cbdcc1bf27789ee4820581c SHA-256: 905a9bec0abd903c3a7b64e9078d75468e38ec729b9e322a3e2ab99f7852a10d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. The PDF contains a large number of external links, suggesting a link farm or phishing attempt. One of the extracted URIs, 'https://xezojetit.ru/123?utm_term=acta+constitutiva+srl+pdf', is a primary indicator of malicious intent, likely leading to a phishing page or malware download. No scripts were extracted, but the PDF structure and numerous external links strongly suggest a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=acta+constitutiva+srl+pdf
    • https://cdn.sqhk.co/wujamufaw/ha7lidU/farmers_io_new_levels.pdf
    • https://cdn.sqhk.co/tosobulig/oBkChiU/pivosetiruvitapitosizowi.pdf
    • https://cdn.sqhk.co/navimoxa/gjgorjG/vikings_season_3_episode_1_imdb.pdf
    • https://cdn.sqhk.co/dedejosewor/ejaghDO/mogukiwemavowo.pdf
    • https://cdn.sqhk.co/xekutenupi/TShajOd/arcade_shooter_games_xbox_one.pdf
    • https://cdn.sqhk.co/givujelised/psDVrgc/molalovabosinikidawuvudu.pdf
    • https://cdn.sqhk.co/xudadidi/aRq8RaH/monstera_plant_outdoors_nz.pdf
    • https://cdn.sqhk.co/litigoruf/ChaghA3/art_history_masters_programs_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6c029265-a729-4901-a37d-57afc0166dbb/apple_beats_solo_pro_vs_studio_3.pdf
    • https://uploads.strikinglycdn.com/files/869e5d60-0913-48b5-8bf7-311feeebfd99/morad.pdf
    • https://2703069b-a6ff-4ff9-983c-db139a8d76ba.filesusr.com/ugd/8b61cf_264e26f1a6c345e39e5e4f83df2a9551.pdf?index=true
    • http://sofizeximixa.epizy.com/91297623262.pdf
    • https://uploads.strikinglycdn.com/files/4cc532be-6e15-4533-a60b-0b8456d48fae/kekaj.pdf
    • https://69f6cc44-9198-4e41-bafa-43503dba92bf.filesusr.com/ugd/dec231_f0a8b0ef34e54ca4925f922ba973bafb.pdf?index=true
    • http://zuvugogab.epizy.com/brazing_welding.pdf
    • https://uploads.strikinglycdn.com/files/64611f0f-6248-4e08-81d2-04d115096afd/how_to_reset_a_spectrum_box.pdf
    • https://3568ea06-17fa-4787-91ae-86b9aa918cbd.filesusr.com/ugd/8ade13_c18dc7d0241b427fa07d1fbc0fde74ca.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a4f419c3-71ef-449e-b321-093782f8911e/71552724543.pdf
    • https://uploads.strikinglycdn.com/files/f3dd8583-c292-487e-90c0-05c7b61bef5b/1566631387.pdf
    • http://xipokawopigigig.epizy.com/barcode_128_font.pdf
    • http://xuvugezizitowu.rf.gd/66190515166.pdf
    • https://uploads.strikinglycdn.com/files/7b961565-5dd1-49a7-b909-4618ae9d9474/gezigatugukokilufevabux.pdf
    • https://0c7ecde5-8d52-4b6d-bf00-bcb9beb5fd3c.filesusr.com/ugd/b6f5a5_9bdff479a947484e88abbe7a9b339628.pdf?index=true
    • http://nizubuver.rf.gd/waxax.pdf
    • https://uploads.strikinglycdn.com/files/e0c25160-79da-4bf7-9d1a-2b4966b06d08/fifetivabemifidiv.pdf
    • https://uploads.strikinglycdn.com/files/93bcb4d3-81e5-4c51-92d4-73a18e67a9cb/death_of_the_author_concept.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e456.bin
e4acc824e5b0e96ea9fc0c91dd488b5de87a9891a65724325aa4542dfa663258		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE456 5196 bytes
font_01_sfnt_off0000f61e.bin
a4c6d8b9b0398278a29fe47c10f7ae96783e2d3bf93d1077c35316e3b378cf11		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF61E 11448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.