Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb5f03bace1a9f53…

MALICIOUS

PDF

82.4 KB Created: 2021-03-17 01:47:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fb417dc2de2587eec3cbf6334f3a898 SHA-1: 2058b0451e04ad0ca3f7028fc3a254936879bffe SHA-256: bb5f03bace1a9f53e27ccab238139a34470a247925016cfc84c829d78d6281aa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are designed to mimic search results, specifically targeting the query 'krishna yajurveda aranyakam telugu pdf'. The primary malicious URL identified is https://mezovuduw.ru/award?keyword=krishna+yajurveda+aranyakam+telugu+pdf, which is likely intended to host phishing content or further malware. The presence of numerous PDF links and the ML classifier's high confidence score indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=krishna+yajurveda+aranyakam+telugu+pdf
    • https://serataxufo.weebly.com/uploads/1/3/1/6/131606193/2523537.pdf
    • http://sozapemogoz.mygamesonline.org/vepepixupari.pdf
    • http://finipupote.mywebcommunity.org/recipe_costing_formula.pdf
    • https://fixiruwu.weebly.com/uploads/1/3/6/0/136082318/segevegiru.pdf
    • http://gekenig.mywebcommunity.org/38096063651.pdf
    • https://gubagomokugexat.weebly.com/uploads/1/3/3/9/133988684/gubowoz.pdf
    • https://jotutavujisab.weebly.com/uploads/1/3/1/1/131164129/3f40a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2cfcb734-ec62-4cd9-b61c-03d4762ad765.filesusr.com/ugd/a891c0_75897f898bd34b09b9bd017ef4d55f98.pdf?index=true
    • http://dakafatuvuguviz.atwebpages.com/braava_380t_connect_to_app.pdf
    • https://01c19f78-c7d0-441a-b56a-8672493f87de.filesusr.com/ugd/9d66c7_4474bf64c4f644a4bc8ef576246dab07.pdf?index=true
    • https://52a1af19-6946-4c37-aba6-ab00a30e4874.filesusr.com/ugd/5dc3ca_14a723551c1849eeb415664dee96e2fa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/30ab70cc-f3cd-40da-804c-97be2fda633d/66870330086.pdf
    • https://uploads.strikinglycdn.com/files/ae4de64e-5613-4043-8ca7-22f1e4ac3b33/romeo_and_juliet_act_1_scene_1_questions_and_answers.pdf
    • https://22520ec4-2132-45a5-98b8-54db1b71d3ea.filesusr.com/ugd/b33b96_c078104a8d4f49278eab95e75dbb80d6.pdf?index=true
    • https://47e4df30-8702-49a4-8bd5-327e1546ff06.filesusr.com/ugd/379272_9fd8a8222d0a41a0903f44f4720b754a.pdf?index=true
    • https://3d7c42e8-cad9-4196-8f3c-0f210fd97588.filesusr.com/ugd/1b7c00_106a507b6e76479a9a5945ec7efbda46.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1c2ff44c-d98f-46ae-850f-2508b468c4f3/netgear_n600_dsl_modem_router_setup.pdf
    • https://2c8134a4-d865-4da1-8961-c755d7242105.filesusr.com/ugd/6dcf04_0a2494dd8fb147b9bc6cab48a11bc316.pdf?index=true
    • https://676a7a22-5bec-432e-92e0-9d4a0a27851c.filesusr.com/ugd/a1fb72_1b8152aaff784556bb383908c987a505.pdf?index=true
    • http://bavufupuvamopaf.atwebpages.com/80074984310.pdf
    • https://uploads.strikinglycdn.com/files/5e9924f9-087c-4b16-ba63-16d4238dc8fe/kixijafiwuwesed.pdf
    • https://uploads.strikinglycdn.com/files/210e4c25-52a1-4cc7-9e23-f242e680977b/marketing_communications_manager_job_description_example.pdf
    • https://238a82c5-85a8-4641-a991-2f0f5270ddc4.filesusr.com/ugd/63f22d_a896dbfe684f4429a0979ef985c7eda6.pdf?index=true
    • https://b81e1767-bb0d-4562-9f98-cfef66859bb1.filesusr.com/ugd/b48b60_2cf3790590684724bc3a9af34cb593b0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb5a.bin
ea0d4fb6d16fcd8d7f7bfacdc20f49f8b8cb0ffff466169daad101054403b328		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB5A 5728 bytes
font_01_sfnt_off00010ec4.bin
5e437f508052e3e19328b36d059cfbee533035b948f961613a4c2114ceaca8b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EC4 13044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.