Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e3cdccb539ff698…

MALICIOUS

PDF

91.6 KB Created: 2021-06-05 17:06:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c90e46e8ee3541c54e5030713a6de45d SHA-1: 738eb127c22b6600891a5165933b0b3e2f051c12 SHA-256: 9e3cdccb539ff6983cb4f9ee5940e173331606c1788e9faa2642c30ddc3c4638
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with a critical heuristic firing for PDF_SEO_LINK_FARM indicating a link farm. One of the primary external URIs identified is https://mezovuduw.ru/123, which is likely the malicious destination. ClamAV also detected this file as Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0, further supporting its malicious nature. The presence of embedded URLs and the ML classifier's high confidence score suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/123?utm_term=android+tv+raspberry+pi+3+b%252B
    • https://cdn-cms.f-static.net/uploads/4496812/normal_603c78de918cc.pdf
    • https://cdn-cms.f-static.net/uploads/4472484/normal_60b97c16ba778.pdf
    • https://cdn-cms.f-static.net/uploads/4476429/normal_600e06d86bc79.pdf
    • https://supimoxu.weebly.com/uploads/1/3/5/3/135319300/xivopemepag-fitunimumad-vibawup-pajunipake.pdf
    • https://tedowinoni.weebly.com/uploads/1/3/5/3/135304389/gurobiremupo.pdf
    • https://judiwufafa.weebly.com/uploads/1/3/3/9/133999980/1987866.pdf
    • https://cdn-cms.f-static.net/uploads/4457281/normal_60275b9eae8fb.pdf
    • https://static.s123-cdn-static.com/uploads/4474987/normal_5fff5f5aa96a0.pdf
    • https://cdn-cms.f-static.net/uploads/4366336/normal_604b1d27d2c1b.pdf
    • https://cdn-cms.f-static.net/uploads/4480399/normal_6067c74b366f8.pdf
    • https://kabijibijeg.weebly.com/uploads/1/3/4/9/134900291/jabezet_tuderudopubetu_redogefuluzap.pdf
    • https://noserosajegupa.weebly.com/uploads/1/3/1/4/131453720/6673734.pdf
    • https://cdn-cms.f-static.net/uploads/4445557/normal_604a98f4a4ad9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a7c0d7ad-0cb3-4f47-b843-0d8bc18a8168/47254144827.pdf
    • https://uploads.strikinglycdn.com/files/3601d84b-1933-4ec3-8aec-9a7a1a9b4b64/kamok.pdf
    • https://uploads.strikinglycdn.com/files/8848bfa4-07f9-40ee-93bc-4a6d96a1ea65/how_to_connect_mouse_and_keyboard_to_samsung_tablet.pdf
    • https://uploads.strikinglycdn.com/files/28248cbe-4596-42c6-9fa7-58059d615137/pilaveloxexe.pdf
    • https://uploads.strikinglycdn.com/files/080caad9-0521-4967-906b-fa72bde7571e/how_to_fix_a_leaking_maytag_refrigerator.pdf
    • https://uploads.strikinglycdn.com/files/32ef9a76-30ed-4dfe-8d11-2b27a78a3da9/short_example_of_problem_and_solution_paragraph.pdf
    • http://jebusolole.pbworks.com/w/file/fetch/144590604/what_is_the_theme_of_dork_diaries_9.pdf
    • http://wikoborumun.pbworks.com/f/94664977185.pdf
    • https://uploads.strikinglycdn.com/files/10367f24-0548-4ad8-a3ea-35df6b459ff9/how_to_heal_a_popped_zit_overnight.pdf
    • https://uploads.strikinglycdn.com/files/4b07fff3-809c-4ef2-9118-27dc16592471/95841118238.pdf
    • https://uploads.strikinglycdn.com/files/03ac42bd-6054-4da2-b24f-abf72d310f17/bissell_symphony_pet_all-in-one_vacuum__steam_mop_reviews.pdf
    • http://wekibivu.pbworks.com/f/kixumasibigigaxogeporom.pdf
    • https://uploads.strikinglycdn.com/files/b1f0578b-f064-4b2f-8a38-ee67c31133ea/36965788885.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000119ab.bin
2f1ab440fde398bb948c39038e815cee6896a40aef37716ced23a0edea895fd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119AB 5376 bytes
font_01_sfnt_off00012c08.bin
5ee50cac18ea9d86d989f577fe1e5750e585f531230e74c4962967a8284aade4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C08 17080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.