Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cd65503f6058853…

MALICIOUS

PDF

75.2 KB Created: 2021-03-19 22:49:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 900e386c92fbf6edc0ea668216352433 SHA-1: 70776f1f8da114d1916482f643c277deb6b0c9cd SHA-256: 9cd65503f6058853bf2c912d93d14c1ffae97b4c519a005f2b03ef65d6041e76
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, suggesting a link farm or redirection mechanism to host malicious content. The primary URL, https://xezojetit.ru/strik, appears to be part of a phishing lure related to 'troubleshooting lg dryer not heating'. No scripts were extracted, but the PDF structure and numerous external links strongly suggest it's designed to redirect users to malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=troubleshooting+lg+dryer+not+heating
    • https://korisupugi.weebly.com/uploads/1/3/5/3/135308649/motuvomexebibireti.pdf
    • https://wupixizot.weebly.com/uploads/1/3/5/3/135398135/57df97dc.pdf
    • https://jaxanotev.weebly.com/uploads/1/3/1/1/131164383/37057f371c76.pdf
    • https://midejewafefo.weebly.com/uploads/1/3/4/0/134000268/fifegusokujegexupem.pdf
    • https://falusawo.weebly.com/uploads/1/3/6/0/136084102/lidedemimofug.pdf
    • https://lugelobixo.weebly.com/uploads/1/3/6/0/136095506/485486.pdf
    • http://berilunowalaz.iblogger.org/us_visa_form_from_pakistan.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kunogasagi.rf.gd/kujexenivowimesil.pdf
    • https://uploads.strikinglycdn.com/files/bd823f28-5fb9-4522-8ada-fc77b4f77391/zuvivokexog.pdf
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_72d3ac1a23574c2a8da41f7df69012c2.pdf?index=true
    • http://wulixojapekapa.epizy.com/mu_co_form_e_l_g.pdf
    • http://zarazemudaseri.epizy.com/apple_privacy_website.pdf
    • https://uploads.strikinglycdn.com/files/036f8409-4bb8-4697-a7aa-8a59a567c43f/can_you_get_gta_3_on_ps4.pdf
    • http://favilogas.rf.gd/how_to_open_vizio_remote_battery.pdf
    • https://uploads.strikinglycdn.com/files/4902ff29-69a1-42a2-b0e7-4f2fdd55c8be/82259151606.pdf
    • https://e6e31949-ba74-43ae-8e0c-2243355e89fd.filesusr.com/ugd/69e259_65666cf395334fd9a43215a9f92140f9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2fc91414-8ce4-43a5-974a-f6cf5faadeb0/dometic_penguin_duo_therm_air_conditioner_shroud.pdf
    • https://uploads.strikinglycdn.com/files/7c9bdea4-d1a2-4147-a0c3-771df8b9ea68/how_to_design_home_interior_online.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e751.bin
8df5b1f140442c4386029681387f9c20ec9835544e1115919c74db50f09e0fb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE751 5276 bytes
font_01_sfnt_off0000f93c.bin
7465f265de0aaeaeadf85cf641d7b5b136a80802c79cf5a73f3d82462481bce3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF93C 11516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.