Malicious PDF — malware analysis report

Static analysis result for SHA-256 a25bf843a2db048b…

MALICIOUS

PDF

81.2 KB Created: 2021-03-22 22:53:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2ef7d9c0c7d5a9c0f09a4b475fd5e247 SHA-1: 7088baa6e7ba326f54790b6801f0dbd4c79b6224 SHA-256: a25bf843a2db048bee11c7f8afcec987c02f0d7e1318707057d1a7fb8087eb74
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The primary URL, https://kuzutuzo.ru/award?keyword=alexander+baumgarten+aesthetica+pdf, suggests a lure related to an award or aesthetic topic. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. While no scripts were extracted, the structure and numerous external links strongly indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=alexander+baumgarten+aesthetica+pdf
    • https://cdn-cms.f-static.net/uploads/4401515/normal_60186956699dc.pdf
    • https://cdn-cms.f-static.net/uploads/4426960/normal_600c70c9e749c.pdf
    • https://cdn-cms.f-static.net/uploads/4384152/normal_6043f67857a5a.pdf
    • https://static.s123-cdn-static.com/uploads/4445125/normal_5ff58856337ca.pdf
    • https://cdn-cms.f-static.net/uploads/4484994/normal_603280d2a0cfd.pdf
    • http://duplicwcnj.space/posuxesya4xk.pdf
    • https://cdn-cms.f-static.net/uploads/4412778/normal_602d841bdc78d.pdf
    • https://static.s123-cdn-static.com/uploads/4445114/normal_600907a247652.pdf
    • http://x-bionic.shop/how_to_fix_dyson_dc39_triggerheaddk04c.pdf
    • http://kkkirrreeee.space/401377816895x9ry.pdf
    • https://static.s123-cdn-static.com/uploads/4384143/normal_5fe55ca534d51.pdf
    • https://cdn-cms.f-static.net/uploads/4387825/normal_603e9a1da535e.pdf
    • https://cdn-cms.f-static.net/uploads/4474739/normal_6041416ea4d6f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d6d3a1c5-32ce-46e9-ae92-c5b8d84d65d9.filesusr.com/ugd/a3b54b_9ac85308b3ce46b780b55e6aff7993cd.pdf?index=true
    • https://7133fc40-0b9c-4701-b953-e7fafc934b44.filesusr.com/ugd/70a38d_2bd347ecec1f4caa9139e75913b32157.pdf?index=true
    • https://fc060a1e-8c1d-4b7d-bafd-75f79d4c6355.filesusr.com/ugd/c0a468_ac5caa8a568c455bae9cd16b5921c5e7.pdf?index=true
    • https://a5a8f6e1-24ae-425c-880d-6f4079e3c376.filesusr.com/ugd/035627_37860e803810443b97a9a3e43172ec6e.pdf?index=true
    • https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_6c66b5f7efeb4ff79e9e37dc7887c35b.pdf?index=true
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_9cd08b5d6e2f44d387476cef3a90ff49.pdf?index=true
    • https://77bc4ea4-de20-41c0-a463-a5315db628d9.filesusr.com/ugd/2c69e3_95f8ef4081584c83ab3870b16eb7b969.pdf?index=true
    • https://cd489911-dc6d-4439-b408-84622343fb93.filesusr.com/ugd/d8e941_3459541edc6f41f999c901f0d8e9b1be.pdf?index=true
    • https://c1ab63b4-4781-4901-abeb-f581ed41d26f.filesusr.com/ugd/b44917_cd9c85eb4eb64fb586f10f4cad27b784.pdf?index=true
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_84c5b7bbeb184c37b739dbbda8e3269d.pdf?index=true
    • https://b40f07b9-a98f-42b6-a6e2-5dc2c82ebb0e.filesusr.com/ugd/e949ea_bcd3bfcf359a49cebec119d410bba427.pdf?index=true
    • https://54d25d35-1219-4e5f-97c3-905e72ea606f.filesusr.com/ugd/6d59ab_c04360ed38bf4793aea50f9912b5db83.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f843.bin
475e55239b6d00066291279ae3cd3a7c9fcb4ecfd4ebd2cf53c1de60d3bc3983		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF843 5764 bytes
font_01_sfnt_off00010bbb.bin
528e2fa57c1a2b2710d1fc07d55d8fa16aac0c9bd9eeb43e458e4fb75040b45f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BBB 12936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.