Malicious PDF — malware analysis report

Static analysis result for SHA-256 da46b68c1ddecc28…

MALICIOUS

PDF

93.9 KB Created: 2021-03-18 14:08:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbac1180e9f815073b87622325576ce2 SHA-1: 2d720e1cf7cd504d61766e4ac2f3fb4f6cd2b14d SHA-256: da46b68c1ddecc28de83fcdb006847cc3288717465625bbfbbce68e42cfd28ba
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting it's part of a link farm or SEO spam operation. The primary URL, https://xezojetit.ru/wix?keyword=a+walk+in+the+desert+reading+street+pdf, is likely a lure for phishing or to drive traffic to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=a+walk+in+the+desert+reading+street+pdf
    • https://juxusuvib.weebly.com/uploads/1/3/0/7/130739690/9269468.pdf
    • https://cdn.sqhk.co/negapevu/RjaAgfD/tuwirovosuz.pdf
    • https://dexulivixuwe.weebly.com/uploads/1/3/0/7/130739852/4754835.pdf
    • https://cdn-cms.f-static.net/uploads/4491688/normal_6026df9b29d32.pdf
    • https://cdn.sqhk.co/kupibetefuko/XLFrP18/zuferuxurozixatatifigur.pdf
    • https://tefegori.weebly.com/uploads/1/3/1/6/131637168/tivakeki.pdf
    • https://gojamomajaso.weebly.com/uploads/1/3/4/6/134616238/2927644.pdf
    • https://sodefabufu.weebly.com/uploads/1/3/4/4/134473286/zejizokepok_dinitifebexox.pdf
    • https://musigimipipo.weebly.com/uploads/1/3/4/4/134470090/8017625.pdf
    • https://cdn-cms.f-static.net/uploads/4419452/normal_601beb852426c.pdf
    • https://jizotigop.weebly.com/uploads/1/3/0/8/130874082/1c8d2.pdf
    • https://jotipipadazazo.weebly.com/uploads/1/3/4/3/134319758/runubutikonubufu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/95182e69-e672-450d-8a24-320f337ed053/aprendizajes_clave_preescolar_lenguaje_y_comunicacion.pdf
    • https://uploads.strikinglycdn.com/files/3ca0bc8c-11f2-4305-aed9-d936d6d54109/ncees_fe_civil_practice_exam.pdf
    • https://dd907c4b-492b-4b4d-bf3c-9f0b7a2bd2c7.filesusr.com/ugd/96a426_73a1d4337c9c4b879e7c3c06cc6b7e17.pdf?index=true
    • https://e6b56e3c-1b88-4cfb-972d-ab1702b0a06e.filesusr.com/ugd/8c0e65_2ecf0b60cd524e38a2f7f6748dab326c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ab7b9e13-a927-4a0d-8699-a62a3ea5eda0/robert_graves_greek_myths.pdf
    • https://uploads.strikinglycdn.com/files/286ae9f2-3660-4435-8ec2-0136b6857a06/translation_worksheet_math_aids.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010838.bin
a606a6dede3b99472d2ac97761204782646b5f75106b48d1abccbe9a99ca9a4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10838 6440 bytes
font_01_sfnt_off0001182c.bin
3abe6871687306c07602723919f41a53571d0cd7413504f39d1af327ee28728f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1182C 5448 bytes
font_02_sfnt_off00012ac1.bin
8cc5c816f0768036e4c9a2853df9fec88e514b792f74fd37165836a3ff2d4e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AC1 12108 bytes
font_03_sfnt_off000152ee.bin
416438fd0a6bf2b0fbbee90b75bae1eaaf4cf69236eda9052fd3a4450d1d3b12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152EE 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.