Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca87260060cdf9fc…

MALICIOUS

PDF

80.8 KB Created: 2021-03-22 00:44:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 9443790be712a9285a5a4dac6bee0ca9 SHA-1: 53d5c7765e1471105a1a16e99c957a62756a8e98 SHA-256: ca87260060cdf9fcc90cdf70963ac7e7e68bca25c4034fd61cb6ed8bb9693440
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=the+great+railway+bazaar+pdf+free+download PDF link annotation
    • https://taxinureku.weebly.com/uploads/1/3/0/8/130814469/ed3412772e61f27.pdfIn PDF document text
    • https://wekasekizoturir.weebly.com/uploads/1/3/4/1/134131482/xufepaxiwuv.pdfIn PDF document text
    • https://tamexixufose.weebly.com/uploads/1/3/0/7/130739892/namar_ruzugorilotemip_wukarobe.pdfIn PDF document text
    • https://jekosupoma.weebly.com/uploads/1/3/1/6/131637113/5908030.pdfIn PDF document text
    • http://levotavo.scienceontheweb.net/lireji.pdfIn PDF document text
    • https://gigazubexu.weebly.com/uploads/1/3/4/6/134613152/xobamupup-wiwego.pdfIn PDF document text
    • http://fukazab.mywebcommunity.org/sartorius_muscle_stretches.pdfIn PDF document text
    • https://gejiraje.weebly.com/uploads/1/3/2/7/132740564/6129414.pdfIn PDF document text
    • https://vudovonijojor.weebly.com/uploads/1/3/1/4/131437364/dovose.pdfIn PDF document text
    • https://xupemapimosow.weebly.com/uploads/1/3/0/7/130776757/20e61d57b6c09.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/ragejufa/vukanida.pdfIn PDF document text
    • https://s3.amazonaws.com/kufazete/steel_column_design_example_as_per_is_800.pdfIn PDF document text
    • https://s3.amazonaws.com/bidemewufa/33233969805.pdfIn PDF document text
    • https://s3.amazonaws.com/mokuwanibof/reticular_formation_pons.pdfIn PDF document text
    • https://8a7e94d2-1b07-4399-8a7b-cfebf1eb419e.filesusr.com/ugd/e78b77_a968b078806b44c0ba8fc35fc5eaae0a.pdf?index=trueIn PDF document text
    • https://29c5b005-6627-40e3-9da1-9f9d3dbc34dc.filesusr.com/ugd/7ad284_e956cc6cb0de439fa143193ac8d060fe.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/taturi/zajupixumilenotireman.pdfIn PDF document text
    • https://6a8c3f3f-5248-4e80-80e0-4bf2c04f72bc.filesusr.com/ugd/8b2c09_1b2fd31b21b1486e96113619c8338f83.pdf?index=trueIn PDF document text
    • http://tavoxelelenasi.onlinewebshop.net/xagego.pdfIn PDF document text
    • https://30d6ba4c-d201-4e26-8f31-a0e059b28788.filesusr.com/ugd/f9b8bb_aff0d9054ba841ed92c329d14e49deee.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dofufiri/armor_guide_botw.pdfIn PDF document text
    • https://s3.amazonaws.com/mipizaju/peak_secrets_from_the_new_science_of_expertise_free.pdfIn PDF document text
    • https://s3.amazonaws.com/zarusegibitumet/xibinakotap.pdfIn PDF document text
    • https://8fc1c2d6-49ba-4d63-8b95-0327ef2b1627.filesusr.com/ugd/1849a1_bc57bc52342d43908f664b254e37bbe0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD9A6 5248 bytes
SHA-256: 89c6c92f28082d540dbcaafded5e59cf150ca9e515c66bfc96107196edce0f07
font_01_sfnt_off0000eb96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB96 10648 bytes
SHA-256: ef7709aae1d478d83bd031c46bd25aeb0ec68953939a1d1b53b0454cc9fe997e
font_02_sfnt_off00011061.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11061 16060 bytes
SHA-256: 99ddc6f5858eb134f8024171ebe717cbd02485c31471b921a5021903b5272953
font_03_sfnt_off000124fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x124FB 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176

Open this report in the interactive analyzer, or submit your own file for analysis.