Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6e0567ecba94386…

MALICIOUS

PDF

78.3 KB Created: 2021-03-15 17:36:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 484aa9c10f058daa0bedd4967671a4ef SHA-1: e02bb597a1f79c03bccda0bfaa715c98ec61fa87 SHA-256: b6e0567ecba94386824b5baf09ee86571301dfde1e0b06d895e21e4a2d65fc6c
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. One URL, 'https://zajinet.ru/strik?utm_term=link%2527s+awakening+walkthrough+level+2', is particularly suspicious and likely serves as a lure or distribution point for further malicious activity. The presence of embedded JavaScript, though not fully analyzed due to obfuscation, further supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=link%2527s+awakening+walkthrough+level+2
    • http://creditinquiry.info/74636436624f53ek.pdf
    • http://dusakopu.iblogger.org/pidotodoziwolofu.pdf
    • https://cdn-cms.f-static.net/uploads/4366978/normal_6023d889b6e2c.pdf
    • https://static.s123-cdn-static.com/uploads/4386335/normal_5fdd30c2c4c83.pdf
    • https://cdn-cms.f-static.net/uploads/4449602/normal_601db0fc292f0.pdf
    • https://static.s123-cdn-static.com/uploads/4393508/normal_5fccf0ea1b5f6.pdf
    • http://sodalabs.pro/how_can_you_feel_the_presence_of_god8up90.pdf
    • https://cdn-cms.f-static.net/uploads/4416136/normal_60355a0f7d6ed.pdf
    • http://reduslimitaly-ufficiale.website/bunco_score_cards_free33d5u.pdf
    • http://naturfresh.space/mcgraw_hill_sat_2016_free_downloadwyyr1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zetesapoxus.epizy.com/bubble_shooter_king_2_apk.pdf
    • http://pinininun.rf.gd/69700134597.pdf
    • https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_0e391158fd57455ea9dfbb036c35b4ad.pdf?index=true
    • https://f8d82b49-d438-4da2-b906-f876cb6fe635.filesusr.com/ugd/12dc78_b8abfd9ebf3749109aa728acf596ef2b.pdf?index=true
    • https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_c8b20b8859b74f889cc5233a3f684c9a.pdf?index=true
    • https://0621cc9e-6449-4e8a-a8bd-baee9ad62a2c.filesusr.com/ugd/affb4a_f2586e775f9942ed97650a9e55f72029.pdf?index=true
    • http://rawuzogese.rf.gd/sulaxerevasu.pdf
    • http://jufakoxageponuz.rf.gd/lua_string._format_vs_concatenation.pdf
    • https://uploads.strikinglycdn.com/files/a16f677f-af80-4076-bbd3-33a81d52aec9/a_discovery_of_witches_season_1_episode_6_recap.pdf
    • https://73c25812-7308-4b32-b985-10e2a25710ca.filesusr.com/ugd/5b604d_c7fc70ae33c44b229a229886bd75fb7a.pdf?index=true
    • https://91953a53-6f32-4f2a-9b2e-0f954541ff31.filesusr.com/ugd/dad90e_806bcc24f1c74a0ba01c2414dbe0eb37.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6ab524e7-af8c-4e22-9652-cecc826d6397/93570226750.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f566.bin
ce8ec61d316caec1bea89d915f2a221f27738c0bfa2f376f110dd05da8e4ef65		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF566 5268 bytes
font_01_sfnt_off0001077b.bin
5fc36f5253b091ce2c931bdbffa28f6e86279f4b9598096c551cb82374345335		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1077B 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.