Malicious PDF — malware analysis report

Static analysis result for SHA-256 932a0a4429b0b1c5…

MALICIOUS

PDF

70.9 KB Created: 2021-03-24 08:14:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: deb58ebc3e29c26d10c4c7fd4d13c1f4 SHA-1: 268053a60f03c86d245464c3825db3c2c0b849ac SHA-256: 932a0a4429b0b1c500afd38fc9fc0d0ac17396c57737a5f48ae2ea8f1050d1c1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. The document body, though heavily obfuscated, contains text related to 'Cadastral map pdf' and the authoring application 'wkhtmltopdf', suggesting a lure. The primary malicious URL identified is 'https://kuzutuzo.ru/award?keyword=cadastral+map+pdf', which is likely used to redirect users to further malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9665

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=cadastral+map+pdf
    • http://jamonomikusuka.22web.org/wirigivaj.pdf
    • http://dunigaki.22web.org/broken_bells_the_high_road.pdf
    • http://jumovuv.22web.org/aua_interstitial_cystitis_guidelines.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://254b3b0b-79dc-4992-827c-fd4bb3db3178.filesusr.com/ugd/f515ca_2e78a0e6e3ee4a8994a09d74d25d6e52.pdf?index=true
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_0610dc3b7f0d4fe59b3fca7b1d9948fe.pdf?index=true
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_53470c69594245a29e0881583d34d6fe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/47615191-15e1-4172-b54e-ffdfdc4652a2/13591362040.pdf
    • https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_48efc2b71bdd4244977a1776489ed08a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2c28a069-6e61-48a3-9947-053b34eaa055/project_management_software_for_small_business_uk.pdf
    • http://sakikuzugodo.rf.gd/boolean_algebra_class_12.pdf
    • https://uploads.strikinglycdn.com/files/3650fd50-7a73-4a82-8de1-7ccaec2e5bc4/688923420.pdf
    • https://0a37a3d5-a0bf-4e77-8ff5-6127fd08aefa.filesusr.com/ugd/6046c9_9dbef9cbde9e435aa5851cf587d4c736.pdf?index=true
    • https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_0ce87a943a0c48608866480d4b320543.pdf?index=true
    • https://cf075d60-af7c-4c71-a16c-5c8c125a9bb7.filesusr.com/ugd/cc03df_b4e5cd76ebf14a40bd23781b483ed8ff.pdf?index=true
    • http://pulijivugis.epizy.com/bambi_full_movie_in_tamil_free.pdf
    • http://luwawabegopit.rf.gd/madupirepu.pdf
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_4211578e509041309830fa0e54afc4b0.pdf?index=true
    • https://98350ace-7ac4-4f38-a9d9-579fdad8050b.filesusr.com/ugd/9b2d9b_53eccfd81bc444a9b094094d390855d7.pdf?index=true
    • https://b7953657-6b45-4ea9-9d9d-f701e3f26526.filesusr.com/ugd/45996c_9a906a3669414000b3f3a51bb1fcd504.pdf?index=true
    • https://de2a8dfc-dc8d-4d62-be3b-f97abdd17bf6.filesusr.com/ugd/c722c2_19a9aa8d7da54daa8206c9ffbac64314.pdf?index=true
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_34584991aa5947548bd9b20aa20cea04.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a61a6848-6623-462f-a883-839870961236/53675377603.pdf
    • http://demuremapinob.epizy.com/allied_telesis_at_8000s.pdf
    • https://uploads.strikinglycdn.com/files/609f1142-416c-4cbf-88a4-321be1b76cf0/milavoxezifoxudutifojije.pdf
    • http://watokugen.epizy.com/chinese_zodiac_years_chart.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109c4.bin
e4c65bc974f2494d9a254b131344b03117548fabb74e0d6ec5caaa6a0fb981ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109C4 5092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.