Malicious PDF — malware analysis report

Static analysis result for SHA-256 d496d05a7ba45001…

MALICIOUS

PDF

79.8 KB Created: 2021-03-31 06:16:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24c742d97709760c629fd0a717cd2cc9 SHA-1: a076bf7524f2ff3451969e0ce4f97eee7f4dfbfb SHA-256: d496d05a7ba450010baedf9141ff123e68e21fba7e6ef11a5980eea9e0c430a0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. One of these links, https://xezojetit.ru/strik?utm_term=the+bee+tree+activities, is directly embedded in the document. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the nature of the link farm suggests a potential for malicious redirection or content delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=the+bee+tree+activities
    • https://ratesikumetu.weebly.com/uploads/1/3/1/1/131163578/rijubebiwuxadunomeka.pdf
    • https://rikekipodoze.weebly.com/uploads/1/3/0/7/130776447/dojolo.pdf
    • http://numulul.mygamesonline.org/movie_maker_application_free_download_for_pc.pdf
    • https://cdn.sqhk.co/pigevikuwi/aKaiiif/i_will_eat_it_all_upset_stomach.pdf
    • https://bugajujifupub.weebly.com/uploads/1/3/4/8/134894919/jiluvasumiwaxaf.pdf
    • http://jusojixanona.getenjoyment.net/8875245083.pdf
    • https://ruzudewalaxuge.weebly.com/uploads/1/3/4/4/134497745/25fe7.pdf
    • http://dorugatutaxovi.scienceontheweb.net/54773578287.pdf
    • https://kagifinozadobet.weebly.com/uploads/1/3/4/9/134902547/gajidore.pdf
    • http://pofuxubilet.sportsontheweb.net/tenavimuso.pdf
    • https://cdn.sqhk.co/gawagunikuw/gjUpje7/lesesevagonunekofowudewi.pdf
    • https://cdn.sqhk.co/nadovexum/bjatHid/80996163946.pdf
    • https://peromukagitogim.weebly.com/uploads/1/3/1/3/131383820/a321d3d7409f285.pdf
    • http://jesofoma.getenjoyment.net/boss_ve-20_vocal_processor_reviews.pdf
    • https://dopatojibeforu.weebly.com/uploads/1/3/0/9/130969701/jasipipokorupibeb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nowokil/stay_hungry_1976_full_movie.pdf
    • https://s3.amazonaws.com/xajowu/16826304363.pdf
    • http://gunubepixel.epizy.com/limitless_template_angular.pdf
    • https://s3.amazonaws.com/babetafaperaxov/5456444027.pdf
    • http://suzazigomepaku.epizy.com/descargar_la_biblia_reina_valera_en_audio_gratis.pdf
    • http://ranixivakogabon.epizy.com/makalah_dermatitis_atopik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fce4.bin
ed505021f1798d56c06d0d791d1589eb23c0252f8084c07e3b608099ebdaece8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCE4 5004 bytes
font_01_sfnt_off00010de0.bin
9c7bb03104d97656ddac4e77546e5cf4e6cc0e546023ef64afce07829b860027		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DE0 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.