Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e001ccf75e5aa63…

MALICIOUS

PDF

80.0 KB Created: 2021-04-27 03:02:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: a43cf6fe3fffda3bdebd7096721ad169 SHA-1: 56a0496ca73ce142d22728a507e5788f5aa1d07c SHA-256: 9e001ccf75e5aa632b2aee965abe74ee373a28b7bb8cbaf932985fd4a754ca98
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are dynamically generated and point to a link farm. The primary external URI, 'https://resalured.ru/strik?utm_term=how+to+make+a+graph+in+science', suggests a lure to attract users interested in scientific graphs. While no scripts were explicitly extracted, the PDF structure and the heuristic 'PDF_SEO_LINK_FARM' indicate a malicious intent to redirect users to potentially harmful content or exploit them through the linked resources. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+to+make+a+graph+in+science PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4365583/normal_5ff7cdaec49d7.pdfIn PDF document text
    • https://mifurujuxix.weebly.com/uploads/1/3/3/9/133997148/dulojijij_tigelum.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369486/normal_5fc9175412b95.pdfIn PDF document text
    • https://gesunewa.weebly.com/uploads/1/3/1/4/131438127/3994422.pdfIn PDF document text
    • https://taxajoberaruvu.weebly.com/uploads/1/3/4/3/134320235/8021301.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369333/normal_5ff15c236771c.pdfIn PDF document text
    • https://pawagidi.weebly.com/uploads/1/3/1/1/131164052/vukimonuniwifodoxari.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387420/normal_6019ce2cd3f27.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://11f44e1d-c86f-4be6-baa1-90970e7c24f5.filesusr.com/ugd/a298ce_def9bf97b7204ffeb40e67464210fc7a.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lanorolowu/71068662392.pdfIn PDF document text
    • https://3b0fe5ff-7f86-489c-8138-fc984e51136c.filesusr.com/ugd/bfd78a_98cb88d9ae8042ec9c933fe79446df9b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tasufagijaremo/zexibi.pdfIn PDF document text
    • https://s3.amazonaws.com/tetofamuxulil/telcordia_gr-_63-_core.pdfIn PDF document text
    • https://s3.amazonaws.com/jusuberu/81728384197.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/effaf54c-7c76-474f-9c79-ae5780b1e587/mofiroduxil.pdfIn PDF document text
    • https://0bc2ebcf-5b85-435c-8290-6c6350a165f2.filesusr.com/ugd/ee98f5_6c68b9ec56db465c80c4d2b568a764d6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c1b7a95-9a3e-49b2-a392-65e90be8f12c/what_kind_of_battery_does_a_bd_thermometer_use.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed03d9b8-5951-41dc-9f85-b7daa9a5b9ba/70503544627.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3438ca1-372e-434a-be3c-c4ae625586c7/sujotejafoferodutez.pdfIn PDF document text
    • https://de7eff9d-5c50-4122-bb99-ee112abf7a8f.filesusr.com/ugd/db8f21_53f10c9a498f4295b44d9326f0a3a467.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/padosumifubobo/87002633662.pdfIn PDF document text
    • https://b0cee159-9ce3-47d2-9452-de9e383f1b6b.filesusr.com/ugd/fac5c7_88063edbd2bc44d88e33a7c20cf45e65.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb79.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB79 5432 bytes
SHA-256: 3f08902b40d3e83fd99852127a99eb030b16bbb0a0da874e8ebf33b6b880eac2
font_01_sfnt_off00010ddc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DDC 10912 bytes
SHA-256: 45cceeb77e2bb4fdfe9e172174503a7ef0bf96a40bcb394085f324accbbb8e80

Open this report in the interactive analyzer, or submit your own file for analysis.