Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3db2d3b835583f0…

MALICIOUS

PDF

78.1 KB Created: 2021-05-02 14:31:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e941c976e98b89b49c2c496c83042660 SHA-1: 91d30b0f16e0bed855b306cac2c8889a38a2bc3b SHA-256: d3db2d3b835583f01abe00db58ed291c9f24d979aa2a4fdbf56aba478841114b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains a large number of external links, many of which point to potentially malicious domains, including 'xezojetit.ru'. The document body, though heavily obfuscated, suggests a lure related to a TV show summary, which is a common tactic for phishing or malware delivery. The presence of embedded URLs and the link farm heuristic strongly indicate an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=la+maestr%25C3%25ADa+del+amor+resumen+pdf
    • https://cdn-cms.f-static.net/uploads/4390057/normal_603eb6ec1b59e.pdf
    • https://cdn-cms.f-static.net/uploads/4372721/normal_5fdbf6292cc1f.pdf
    • https://cdn.sqhk.co/badaxiloru/bkicKSz/80172542650.pdf
    • https://cdn-cms.f-static.net/uploads/4492245/normal_605624771015f.pdf
    • https://cdn.sqhk.co/bewiviki/eghhaji/invaders_from_mars_blu_ray_review.pdf
    • https://static.s123-cdn-static.com/uploads/4464315/normal_5ffca496d8217.pdf
    • https://cdn.sqhk.co/jinubodilev/Oy0Dib8/truck_driver_city_crush_game_online_play.pdf
    • https://cdn.sqhk.co/ridijafugemi/jaicEib/pazekupovumowupo.pdf
    • https://cdn.sqhk.co/vujuzira/dBxkHhh/bapizeba.pdf
    • https://cdn-cms.f-static.net/uploads/4372681/normal_6040f4b4d33b0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_43904f73847744db9957c27296606dc7.pdf?index=true
    • https://af6bd0e1-9fb2-4c52-b6e5-df6188d17e94.filesusr.com/ugd/771d18_6b178c871e284da4aa9d1153b6561433.pdf?index=true
    • https://uploads.strikinglycdn.com/files/74e98644-94f3-480f-97d8-6554516c299c/complete_english_grammar_rules_vk.pdf
    • https://4ad55601-b8ab-4ae0-bc0e-e90069072326.filesusr.com/ugd/3aca14_f3aa0f601746409481cfbe163df5d684.pdf?index=true
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_68a600a86e424025a743297a3dbf1f68.pdf?index=true
    • https://7a579b3f-ce96-4c66-abdc-991530493d29.filesusr.com/ugd/010c6b_d1488f455582452793acf3fbbeebc878.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5751a5ad-fa64-4d3e-8987-d21eccb8459d/what_is_considered_vietnam_era_veteran.pdf
    • https://f3874c2d-c116-49c2-b7b6-9300dc8fc43e.filesusr.com/ugd/b11f6d_676fce81b67d4dd694dc050ea349a204.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bcebfb55-ff2d-405a-be0c-033a1abecd33/how_to_use_a_voldyne_5000.pdf
    • https://91506351-5699-48ce-85e7-8e7d071f4e87.filesusr.com/ugd/d775a9_cb1df80ef5714ed18c61e4d1084f9ce2.pdf?index=true
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_e78511385e0149f192ded576aa903484.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f066.bin
5ee05a4da2046e65d872dd24801792cc5d8cbbae1f5583c3c474f7a883d449ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF066 5180 bytes
font_01_sfnt_off000101f5.bin
c25cc59bd48576770ed28959f4f78ec04d654391a95b1059ee6f7187a4e29a5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101F5 12316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.