Malicious PDF — malware analysis report

Static analysis result for SHA-256 df54e2476dfc8bd9…

MALICIOUS

PDF

90.3 KB Created: 2021-03-16 19:42:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7fa8fb0bb0c03a5aacf57b835a5a8fd SHA-1: 794f89509b33019f55e6c5dbb5ab3078ccfaeef5 SHA-256: df54e2476dfc8bd97b4fd0e988271b0819ae73fb8bf8778ea012ad4eb1230b51
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document uses a lure of 'Ozark trail 10 person instant cabin tent instructions' to disguise its malicious intent. It contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of harmful content or behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=ozark+trail+10+person+instant+cabin+tent+instructions
    • http://kuroramogesok.iblogger.org/letter_format_for_teacher_job_application.pdf
    • https://cdn.sqhk.co/turanexode/9jijhKR/xojiwesetipoguweg.pdf
    • https://cdn.sqhk.co/tobijoge/Eibhegf/55357331910.pdf
    • http://mijakaku.iblogger.org/sepsis_and_septic_shock_guidelines.pdf
    • https://cdn.sqhk.co/tusenepobam/ugciahd/water_racing_game_download.pdf
    • https://cdn.sqhk.co/vomisape/hf3VIWq/brolly_sheets_singapore.pdf
    • https://cdn.sqhk.co/wejideduv/Qgihejf/warship_battle_3d_world_war_2_mod_apk.pdf
    • http://ratubave.22web.org/lixovonuwezeguribuga.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://d89a15f7-21b5-45f0-b9b4-bc5b7be68842.filesusr.com/ugd/18e821_e2b59bb5a57947a48be8d3b30bc7aef1.pdf?index=true
    • http://dinedolorexos.rf.gd/ragovukinu.pdf
    • https://5e9c932d-19a8-4d5a-a970-d4bc0bcb832b.filesusr.com/ugd/bae0a0_0ef1204daba047b5af9ed0ffcf5ead0a.pdf?index=true
    • http://vebefabose.epizy.com/wedding_invitation_email_templates_free.pdf
    • http://dogumimuzelu.epizy.com/bexar_county_public_records_arrest_reports.pdf
    • https://083189c9-8220-4687-a375-57be19a37228.filesusr.com/ugd/909b15_69b0cd9d57ce4feeb49da6bae50961fb.pdf?index=true
    • https://9e1e9198-0fe7-4103-8084-fdcc6befb8d5.filesusr.com/ugd/2f7815_e06bec7f05c946e2ae11bd5b4c037acd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ab419347-2067-4bde-b2f8-3ac6db4f993f/29852582341.pdf
    • https://8b8c7005-3af0-45a1-8e5b-a6902caa9335.filesusr.com/ugd/dbd7d9_c57d12411569446eaeae0fec2a37b88a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/81252448-d5d1-4202-8fff-3da028c0d32c/russian_special_forces_hand_to_hand_combat_training.pdf
    • https://ed59cdd8-0d75-4634-8bb2-7afdb9da103e.filesusr.com/ugd/9cb112_3c816355642a4437859b4f01ee7a322b.pdf?index=true
    • https://9df6e0af-a028-4e88-91ba-61a1b37318d5.filesusr.com/ugd/7c1f05_6ef64dba05274f0987c81e92ed4f758a.pdf?index=true
    • http://janaradoru.rf.gd/30642610693.pdf
    • https://dd67658a-cc17-4e1c-bca5-42bf299a485b.filesusr.com/ugd/07a440_1fc9a94461554f2fbd88deff8351dc7f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7287039d-8fa7-46f2-b9ba-b8fb542be918/xitidegi.pdf
    • http://paporoj.rf.gd/tratamiento_de_acidosis_metabolica_en_pediatria.pdf
    • https://6998e30b-c911-4113-ab34-4c15204891c7.filesusr.com/ugd/429b25_2c234a02747f4cfcad4b7829b04cf087.pdf?index=true
    • http://fekimemisuj.rf.gd/why_is_my_front_loader_washing_machine_leaking.pdf
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_dffb97157abc436e92103e08e0f319d2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a6d24abe-2793-42e3-958a-6a74fc16cba5/g_shock_ga_100_strap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011516.bin
774f2a8fe02a081e6a9cb8374630e27680965a7ff495bf57c2798e5267dfbea4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11516 5284 bytes
font_01_sfnt_off0001271e.bin
3dea5ce53145348899149b2385425cd402816eae42f14d5cb5b24960c5d9ec38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1271E 10992 bytes
font_02_sfnt_off00014c94.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C94 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.