Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf1927e04ca78ff0…

MALICIOUS

PDF

72.2 KB Created: 2021-04-05 22:00:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16bcae5ba5afd0b06e57596ecd67d5cf SHA-1: baad85cbb463376e086a63586acdd618ba835fbb SHA-256: cf1927e04ca78ff00f3009465d0710ad359a7eb44c471c9d129376db94be2173
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains a large number of external links, many of which are likely part of an SEO link farm designed to direct users to malicious sites. The primary malicious URL identified is http://bepelisufozasep.mywebcommunity.org/cautery_machine.pdf, which is likely a second-stage payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=alter+ego+a2+guide+pedagogique+pdf+vk
    • http://bepelisufozasep.mywebcommunity.org/cautery_machine.pdf
    • http://jadogaxarabu.mygamesonline.org/xeruraxexi.pdf
    • http://tokudujadi.medianewsonline.com/kivisezanafasazotinusox.pdf
    • http://pifowovumuwe.medianewsonline.com/carcassonne_the_castle_rules.pdf
    • http://nokasosozigof.mypressonline.com/dataxedezesijusin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wadoromutisagar.myartsonline.com/75362936748.pdf
    • https://21dbc830-6d60-48ad-8ab0-00d2b3cb69e0.filesusr.com/ugd/18d949_96fefa01cd3c4a4f91620d652c81e917.pdf?index=true
    • https://5e54824a-8208-41b0-8aeb-7c017e8cfb46.filesusr.com/ugd/f64db8_81f7a02b177740f89f827ccb099da90c.pdf?index=true
    • http://bijipav.rf.gd/cambio_climatico_2020.pdf
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_6f911449a3114abd840e93dce1fcfc2b.pdf?index=true
    • https://d497f082-4895-42de-a72c-038d9367c8a3.filesusr.com/ugd/8e727b_0c3db600624d4a24891ccc6246fecd49.pdf?index=true
    • https://s3.amazonaws.com/tubukeganuji/question_answer_of_chaya_mat_chuna.pdf
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_55b396da523c498c99f75cea54809478.pdf?index=true
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_432f35dc8440400cb967ff46855afea2.pdf?index=true
    • http://menusos.rf.gd/87015355141.pdf
    • https://s3.amazonaws.com/zufaxepixiguxax/95998664046.pdf
    • https://42f4b946-f871-4f2a-a73e-6571c6569919.filesusr.com/ugd/e20521_318e5f8b5a284f6880281f980c6f19d9.pdf?index=true
    • https://s3.amazonaws.com/rejiner/batman_vs_superman_movie_trailer.pdf
    • https://c02a3fa2-970f-4384-b4fa-7a60184a1b73.filesusr.com/ugd/1da3fe_1b3cdb2751614e9481fccd87caa6daeb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf6c.bin
762aadd8fcbaf42f7f10b700ecd595cd590f889dfee56e51771ddb4fe9fae64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF6C 5400 bytes
font_01_sfnt_off0000e1e9.bin
e7a0ba586bf28a719257b6cf763226c5ffabdc4423970d3b8e6afd8f917f811d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1E9 16400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.