Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3aea9abf38aa627…

MALICIOUS

PDF

225.2 KB Created: 2022-08-23 02:58:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2023-10-10
MD5: f3b46fb1766fa0727da142b4395dfd91 SHA-1: bd4d6242546dc26891b7107c64d4237a17671e13 SHA-256: e3aea9abf38aa627f2110dc2dddd2041594ff86db5cada2858a079312fe52523
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a high-confidence machine learning detection and a heuristic indicating a redirector link. The embedded URL 'http://xeltuve.com/c3?utm_term=microsoft+flight+simulator+e3+2019' is presented as a lure for 'microsoft flight simulator e3 2019', suggesting a phishing or scam attempt. No scripts were extracted, but the presence of an external URI and a redirector link points to a malicious intent to lead the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9022

Heuristics 4

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xeltuve.com/c3?utm_term=microsoft+flight+simulator+e3+2019 PDF link annotation
    • https://kopowibepe.weebly.com/uploads/1/4/1/5/141573754/xozabivibifewot.pdfIn PDF document text
    • https://segurodegranizo.ar/noticias/fckeditor/file/69343174644.pdfIn PDF document text
    • http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/37ecb94533b42cdf957376dee78ee41c/96618334530.pdfIn PDF document text
    • https://faxulifil.weebly.com/uploads/1/3/4/7/134731484/639ea870ac40.pdfIn PDF document text
    • https://kulosewutul.weebly.com/uploads/1/4/1/5/141555448/4478783.pdfIn PDF document text
    • http://kod-da-vinci.ru/ckfinder/userfiles/files/saruxobumivetew.pdfIn PDF document text
    • https://jerememado.weebly.com/uploads/1/4/1/4/141486479/modogosotimuvom.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aea6a97201213e037dc4e/t/62bde0c3d6162061531254d2/1656611012070/offsetting_account_report_in_sap.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aebe5436e397a99d53e8a/t/62c7b796c14f6e594931b361/1657255831051/wubevof.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62d798b52894590e3bd662dc/1658296502061/blue_mountain_state_season_3_episode_6_cast.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62e21255e3e4ef1ef75fb0b4/1658982997585/flatpak_user_guide.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62cbb7e94040f055beb17b50/1657518058308/exit_hesi_study_guide.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62df99947cc2077aa2b39837/1658821013463/munevetujisufugoso.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62d248f471917366f333e3d3/1657948405308/89417083263.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62d83fe2abe4112cc1f15380/1658339298972/tupekokagiviwap.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aeb86718479732845b7b4/t/62e4a737daf3695c449a4f7c/1659152184438/bahubali_2_movie_in_english.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62c9647c6a3d6b58b3a3b5ba/1657365628803/nujexosivovipegugoxodisa.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aeb86718479732845b7b4/t/62cf292b734a186cdc6ee56f/1657743659627/basic_rental_application_free.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62bad1b150d9c127fd4adfe3/1656410546554/brs_pediatrics.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62da5b1bb36a234b9b6ce523/1658477339811/procurement_and_supply_chain_managem.pdfIn PDF document text
    • https://static1.squarespace.com/static/604aebe5436e397a99d53e8a/t/62d09b5351124a68f0524287/1657838420237/la_maman_et_la_putain_torrent.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62b452391307a209de02e6a4/1655984698076/jafimifof.pdfIn PDF document text
    • https://static1.squarespace.com/static/60aaf25e42d7b60106dc17aa/t/62c4ed53d9314d72ddfafbc4/1657072980033/gejarofegavetibogez.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00032bd6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32BD6 18068 bytes
SHA-256: 44a4d946dedeca11ec58a08061273bf86aee8c0d52a3c74d07ed4c6d1a25462e
font_01_sfnt_off00035b34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35B34 11408 bytes
SHA-256: 54ca170081e5e266da3261a56af08ad170d93a58760751b7dcf27c66eb222918