Malicious PDF — malware analysis report

Static analysis result for SHA-256 d54c543c86831497…

MALICIOUS

PDF

81.4 KB Created: 2021-03-19 23:05:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab6239e675675b81e5dd68939ed5cdce SHA-1: e751ce15fd39075a208dd7de63ca95b535df47c0 SHA-256: d54c543c86831497561db2c4ee14352bb8151f06058256e9b13f50ca728b7c7a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains heuristics indicating it is part of a link farm, with numerous external URIs. One prominent URI, 'https://seumenha.ru/wix?keyword=reidsville+high+school+ib+information+session', is presented in a context suggesting a lure related to educational information. The ML classifier strongly flagged this PDF as malicious, supporting the assessment that it is designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=reidsville+high+school+ib+information+session
    • https://woremudof.weebly.com/uploads/1/3/4/7/134701645/bc69e421772153b.pdf
    • https://najigojuvunijo.weebly.com/uploads/1/3/0/8/130874658/detasapamiwutudojeg.pdf
    • https://deremufirig.weebly.com/uploads/1/3/4/8/134854029/5c27b.pdf
    • http://tublitalia.space/shade_fanatic_background_5epsv87.pdf
    • http://rafale.store/area_of_parallelogram_worksheet_with_answersj1r2c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5a1138df-423b-4a5d-a7c7-36223740754e.filesusr.com/ugd/a72fa8_03059e626a544c3d94355ed39f4b4719.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d2f0010c-d772-4aec-82e4-1c1c803af9d8/gurexoteladixilonosesod.pdf
    • https://000bb656-a8cb-4e8b-9327-0b0ec99f56fe.filesusr.com/ugd/3f812e_d56ae1cf1b90430681ad6a4d94e870d9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/88dbbb5d-0c09-43ea-9d37-eca3f40442e0/why_are_my_keyboard_lights_not_working.pdf
    • https://uploads.strikinglycdn.com/files/6602b626-9f7f-4bf5-a522-07cf033c1c07/vofovekefa.pdf
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_d3208c5fbb304344b165f0bdf7a7310d.pdf?index=true
    • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_2575cdbe978e4ed78cc55c6d5ab1b60c.pdf?index=true
    • http://movafomuwexowix.epizy.com/lakudoz.pdf
    • https://1cdd1dcb-54a5-4750-95ad-c4cce9a68cd1.filesusr.com/ugd/1e32c2_f8b02e2faa0342b8a8762ec6c7c02430.pdf?index=true
    • http://derizarage.epizy.com/95694272401.pdf
    • https://8f1ef4f7-3f23-41ef-a3d6-4e5873a175a2.filesusr.com/ugd/d318ce_fa3a209e27f8447595e56afd47aff5a2.pdf?index=true
    • https://19508648-7f28-415f-8121-b57715dc1465.filesusr.com/ugd/9734e7_144b3f4a5aee47bab413a23a36568681.pdf?index=true
    • https://uploads.strikinglycdn.com/files/33db4643-6328-4e3f-be0c-71ea1101d6a4/what_is_the_moral_of_the_land_of_stories_the_wishing_spell.pdf
    • http://nivobilov.epizy.com/98425592265.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001005c.bin
f8e521982584d5e8d56d9790f1468f4a03de21f74ca3373968512c6f7d7529ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1005C 5644 bytes
font_01_sfnt_off0001136c.bin
295931a4c8fcc1b17dfd30bd9bbdf7699a66338866394a2c435fa5dafdac2567		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1136C 10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.