Malicious PDF — malware analysis report

Static analysis result for SHA-256 95e2e159acb144a5…

MALICIOUS

PDF

75.1 KB Created: 2021-05-28 19:49:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be77046460ae56138885871373a25235 SHA-1: 401b31bce6c0ad0b7946811047cadd1b2deb5a7e SHA-256: 95e2e159acb144a582be1aa3c1ddccd64b8ed9a0fa75f30d47f90280ebaf293b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to PDF files, suggesting a link farm or redirection mechanism. The primary external URL, https://xezojetit.ru/strik, is likely used to host or redirect to a malicious payload. Although no scripts were explicitly extracted, the PDF structure and the presence of numerous external links strongly suggest it's designed to lead the user to a compromised resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=los+ojos+de+mi+princesa+2+pdf+descargar
    • https://cdn-cms.f-static.net/uploads/4501989/normal_6049dd3919202.pdf
    • https://static.s123-cdn-static.com/uploads/4417675/normal_5fff7d895f662.pdf
    • https://static.s123-cdn-static.com/uploads/4384642/normal_5fde41a550c5a.pdf
    • https://tufizesux.weebly.com/uploads/1/3/4/5/134596030/vewav.pdf
    • https://cdn-cms.f-static.net/uploads/4381098/normal_603bc7751fa3b.pdf
    • https://cdn-cms.f-static.net/uploads/4385011/normal_5fd883b979836.pdf
    • https://cdn-cms.f-static.net/uploads/4377902/normal_602adc8aa2502.pdf
    • https://cdn-cms.f-static.net/uploads/4416802/normal_604e872d1246b.pdf
    • https://static.s123-cdn-static.com/uploads/4383922/normal_6007382a3e4ff.pdf
    • https://powagaminabori.weebly.com/uploads/1/3/0/9/130969211/1001744.pdf
    • https://wuremude.weebly.com/uploads/1/3/2/8/132815206/jituvepejuluf.pdf
    • https://popepinasi.weebly.com/uploads/1/3/4/8/134892117/gipej-samuviw.pdf
    • https://cdn-cms.f-static.net/uploads/4379984/normal_5fd61d878c49a.pdf
    • https://wimitefadekox.weebly.com/uploads/1/3/4/5/134586198/xuretejisimobuguma.pdf
    • https://cdn-cms.f-static.net/uploads/4372377/normal_5fd391674f649.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/338919.pdf
    • https://semizomemakov.weebly.com/uploads/1/3/0/7/130739936/dubiligisat-wafokozug-koriwedabozomi-vexapatuvu.pdf
    • https://static.s123-cdn-static.com/uploads/4499633/normal_60036d1423a56.pdf
    • https://static.s123-cdn-static.com/uploads/4383470/normal_5fdfa13ca63c0.pdf
    • https://jowukore.weebly.com/uploads/1/3/4/8/134870909/f7d2b00.pdf
    • https://bikujezojodu.weebly.com/uploads/1/3/4/5/134587809/9784019.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3c45a12f-e783-4740-958c-bdbd925f952e/how_to_make_a_easy_paper_box_step_by_step.pdf
    • https://uploads.strikinglycdn.com/files/0b3a28f1-dff4-44f6-a32e-ace8c89fb92b/mujewinimopanexim.pdf
    • https://uploads.strikinglycdn.com/files/ca18e16d-5cc3-434a-8903-d7474ad77431/pokemon_sun_and_moon_nintendo_switch_download.pdf
    • https://uploads.strikinglycdn.com/files/90ee37e6-7a86-4046-bf7e-814e136db0bf/the_memory_jogger_ii_a_pocket_guide_of_tools_for_continuous_improvement__effective_planning.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e47a.bin
7dfa310073fd09b9049095d1f2e72259ddfa97c60006d3a6e40cca7a0ed67323		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE47A 5592 bytes
font_01_sfnt_off0000f776.bin
3fdce38d3e5d9e8f9e4fc94690acb0aba8225e9d89642799f4228bc1950a04d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF776 12052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.