Malicious PDF — malware analysis report

Static analysis result for SHA-256 acfe269d5236b03c…

MALICIOUS

PDF

86.7 KB Created: 2021-03-11 20:57:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6bb9e034e745ac79baeae69d43fce02b SHA-1: 2f9b96d1bd457516c187f261f3cdd2386149d7e1 SHA-256: acfe269d5236b03c23ba06c123f4ca18eae20912dc057749e59854edb6b3a021
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are SEO-optimized and point to other PDF files, suggesting a link farm or content stuffing tactic. One prominent URL, "https://jacksth.ru/wix?keyword=wsop+hack+tool+v7.5+free+download", directly indicates a lure for malicious software. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' further suggests that the document may be instructing the user to decrypt a payload, which is a common tactic for bypassing gateway security. Although no scripts were explicitly extracted, the PDF structure and extensive external linking are indicative of malicious intent, likely to download further stages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=wsop+hack+tool+v7.5+free+download
    • https://cdn-cms.f-static.net/uploads/4470828/normal_602e079b277ae.pdf
    • https://vexibalob.weebly.com/uploads/1/3/4/8/134896466/5208053.pdf
    • https://fimopoki.weebly.com/uploads/1/3/4/0/134040487/1539691.pdf
    • http://kovuzaxaf.medianewsonline.com/wawimiledazomikigitu.pdf
    • https://depumubawaminuk.weebly.com/uploads/1/3/4/2/134236244/zowifaroguz_leriwogujogik_tawedokevodi_sekawulurur.pdf
    • https://cdn-cms.f-static.net/uploads/4443812/normal_6046ae3e0e7a9.pdf
    • http://sijuvibitita.iblogger.org/blank_ingoing_condition_report.pdf
    • https://cdn-cms.f-static.net/uploads/4456399/normal_601cb8c52cbd4.pdf
    • https://nefafege.weebly.com/uploads/1/3/4/6/134642137/muwurafemijuva_dizuxiroreditow.pdf
    • https://jinobodusere.weebly.com/uploads/1/3/4/7/134722577/wokerewuzesaligonu.pdf
    • http://majovevalaji.sportsontheweb.net/24212431205.pdf
    • http://kepuxom.mypressonline.com/35601426178.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/furunumaroxun/rheem_tankless_water_heater_installation_kit.pdf
    • http://wadoromutisagar.myartsonline.com/jbl_flip_3_firmware_update_mac.pdf
    • https://s3.amazonaws.com/gekixadonuru/xugodizodon.pdf
    • https://s3.amazonaws.com/rutufokedizon/segikonibetivizufubixeda.pdf
    • https://s3.amazonaws.com/jebokizez/wimip.pdf
    • http://zalatikewal.atwebpages.com/sutomunozivonopuruve.pdf
    • https://s3.amazonaws.com/daraniwekamidir/juzenowura.pdf
    • http://vorasatijede.rf.gd/dewalt_miter_saw_stand_replacement_parts.pdf
    • http://bisegigosos.epizy.com/falosipawaxexanuzuviv.pdf
    • https://s3.amazonaws.com/poguvelefa/wapking._com_new_song_2018.pdf
    • https://s3.amazonaws.com/suximawo/69159599252.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eab0.bin
54a2e178fc34f8c8186e6be9c0fb65c3dc7b276714d779d2ac53055f73a643f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB0 5708 bytes
font_01_sfnt_off0000fe42.bin
13678a14b930e6d42e11b2ac41b13981c2c7f5938cc30cfb194ad51886f1f1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE42 2092 bytes
font_02_sfnt_off000107e7.bin
077f7c35291f9544474666e332c2614f18522248a9a4b9be72a8b956e897e31d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107E7 15648 bytes
font_03_sfnt_off00013705.bin
53c3ec829963ec5a0af1bff4be2d724acb9959b277e5253d769434e6be684fe1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13705 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.