Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8aae3c531e7a25d…

MALICIOUS

PDF

84.5 KB Created: 2021-03-21 21:47:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07f13de5a513dc4fef601059a50cbb87 SHA-1: 803bb83e8c1791a989cdd271f4387ab431cdb926 SHA-256: b8aae3c531e7a25d4339e211fcec14308196b16c1efe4b8dd74acd617f0f9235
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are structured to appear as search engine results or article gateways, indicating a link farm or SEO manipulation tactic. The primary URL, 'https://xezojetit.ru/wix?keyword=last+day+on+earth+survival+cheats+ios', suggests a lure for users searching for game cheats, which is a common phishing or malware distribution pretext. While no scripts were explicitly extracted, the PDF structure and numerous external links strongly suggest malicious intent, likely to redirect users to malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=last+day+on+earth+survival+cheats+ios
    • https://cdn.sqhk.co/suxevevagova/gigezF0/67440092430.pdf
    • http://zamowafa.mywebcommunity.org/48497060363.pdf
    • https://molowusutet.weebly.com/uploads/1/3/1/3/131380828/c338caf.pdf
    • https://puziwifatewir.weebly.com/uploads/1/3/4/7/134715637/8290052.pdf
    • https://bonikelebosobi.weebly.com/uploads/1/3/2/8/132814552/4c740d14.pdf
    • https://jedurabononip.weebly.com/uploads/1/3/1/4/131453193/ganokul_saposawem_vopinu_kelubovowe.pdf
    • https://cdn.sqhk.co/xuwadezab/cJhazEA/texas_mandatory_reporting_laws_for_adults.pdf
    • https://topigofifudonif.weebly.com/uploads/1/3/5/3/135304546/39e2b0a0c8d.pdf
    • https://cdn.sqhk.co/libegavezu/himifRn/rise_of_civilization_lancelot_talent_guide.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tavoxelelenasi.onlinewebshop.net/64583155390.pdf
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_bfccc17060d041b5b6bab3d2dcf1ab18.pdf?index=true
    • http://mojogoralil.onlinewebshop.net/46124474623.pdf
    • https://uploads.strikinglycdn.com/files/2ded8103-2cbc-48db-b657-31e73456d762/sabez.pdf
    • https://uploads.strikinglycdn.com/files/c31fc29f-6aab-4108-ae88-cce917221eb8/bixudu.pdf
    • https://835a0401-7144-467e-aacc-710587930ffc.filesusr.com/ugd/432cba_d83c980d8af44b0fb437afee8cf05f8d.pdf?index=true
    • http://xovipofeguz.epizy.com/casio_twin_sensor_watch_price_in_india.pdf
    • https://uploads.strikinglycdn.com/files/16adb899-9cc6-4192-a4f1-72f1e8374e08/xojebiwatevawifopejal.pdf
    • http://saluwagasa.onlinewebshop.net/how_to_buy_a_tiny_house_on_amazon.pdf
    • http://jegovogetaferop.epizy.com/basic_physics_concepts_book.pdf
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_9d7286745f604389bdc041e593ea9068.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9f407e9a-c2f9-42b1-aa09-96e170c5bc6f/giwelegowefa.pdf
    • https://uploads.strikinglycdn.com/files/c46563f5-12f2-48c1-bf72-e113d2328c71/95113759108.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f685.bin
4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF685 2960 bytes
font_01_sfnt_off000100f5.bin
dd046ea51e76b9da2012d17a4a911580c13ae4175b39660780765d5e728a77bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F5 5128 bytes
font_02_sfnt_off00011267.bin
13678a14b930e6d42e11b2ac41b13981c2c7f5938cc30cfb194ad51886f1f1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11267 2092 bytes
font_03_sfnt_off00011c0c.bin
832dcb52440680fe466e29e99d5ceac22f9b6418c538e280aab638e30813d0ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C0C 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.