Malicious PDF — malware analysis report

Static analysis result for SHA-256 cec3c0b527aabb7a…

MALICIOUS

PDF

81.0 KB Created: 2021-03-18 09:20:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f9344ef96832ae82e8e8c72fd5f34c17 SHA-1: 6d11d6c9b8ffe6bb61c32b9dfca1c7ab5c57e03c SHA-256: cec3c0b527aabb7a5e878f3e56dd76b569e8ae8acc088b313f9aa9b862a0bcda
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by a machine learning classifier and ClamAV. It contains numerous external links, including a link farm designed to obscure the true destination, and presents a lure for downloading a game mod. The presence of multiple external links and the ML classification strongly suggest an attempt to redirect the user to malicious content, likely a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=plants+vs+zombies+mod+no+delay+apk
    • https://rixogeki.weebly.com/uploads/1/3/4/6/134693266/08aae.pdf
    • https://buliduxefexefux.weebly.com/uploads/1/3/1/6/131636978/397253.pdf
    • https://cdn-cms.f-static.net/uploads/4409997/normal_601b902694137.pdf
    • https://xavujome.weebly.com/uploads/1/3/0/7/130739328/medufejo_girazeraso_savira_zejofedojikew.pdf
    • https://gimimelaxagoke.weebly.com/uploads/1/3/2/7/132740951/a0dc95a.pdf
    • https://zevofukuje.weebly.com/uploads/1/3/4/5/134585027/9b1c2a05856d162.pdf
    • https://wawodupalise.weebly.com/uploads/1/3/4/6/134621762/bd8da9da3e67c1a.pdf
    • https://static.s123-cdn-static.com/uploads/4381529/normal_5fe4ad715cab7.pdf
    • https://fivomatimib.weebly.com/uploads/1/3/1/0/131070631/79da1cd954d4.pdf
    • https://juwarojolajekol.weebly.com/uploads/1/3/4/1/134108785/xibewisuj-gebex.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/babuxufarizuxur/63471674986.pdf
    • https://uploads.strikinglycdn.com/files/f2cf2bd8-0e70-4f9e-aef3-29f1fcd99219/87725806071.pdf
    • https://uploads.strikinglycdn.com/files/6e9a913e-ba6f-41ea-9dfc-4eac0dd73fb8/xidumox.pdf
    • https://uploads.strikinglycdn.com/files/38bed778-397f-49ab-9384-26cc02952a50/metric_conversion_worksheet_answer_key_physics.pdf
    • https://uploads.strikinglycdn.com/files/71bd8e96-56b7-4bf8-a8ab-75cc77018a4c/37547895982.pdf
    • https://uploads.strikinglycdn.com/files/84d1e5be-59fc-44ad-a24c-5fe042c216f6/what_is_the_elements_and_principles_of_pyramid_of_giza.pdf
    • https://s3.amazonaws.com/vavabi/a_k_new_song_2018.pdf
    • https://uploads.strikinglycdn.com/files/be29844a-5fc9-4f93-908f-129c03bc5081/31415473528.pdf
    • https://uploads.strikinglycdn.com/files/093e6da7-8a31-46ef-959d-4f08537a3264/suzosumekopugebejekuwiw.pdf
    • https://uploads.strikinglycdn.com/files/a2d2e1ed-8fe1-4964-8403-a7b398f64b19/acer_-_helios_300_15.6_gaming_laptop_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e780.bin
0210c469434df689a4d3937e4cb955e7dfb04df87364f9a7d7956820ab68c828		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE780 5424 bytes
font_01_sfnt_off0000f9f9.bin
477c71dd7bdd80a4a4daf943c8432eb2cf005af7d8026a11f7d00bf7c1bc4803		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9F9 10976 bytes
font_02_sfnt_off00011fe6.bin
e245d83aa9810ba0fce5f2bb0e5f561f89fd5e90631648584630540fd40b3bbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FE6 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.