Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6aa31b451ec7e3e…

MALICIOUS

PDF

86.6 KB Created: 2021-03-30 16:19:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04339902c91deaadbecfb1e852330967 SHA-1: ac37471d481e0a3fc1eb23e88c587cad2899a7a8 SHA-256: e6aa31b451ec7e3eb0c21787cd0db598b244a5fb1278d75f8f14b29126698fdc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to file-sharing services, suggesting a link farm or distribution mechanism for malicious content. The presence of a URL related to 'ares virus mod apk' strongly indicates a lure for users seeking game cheats or modifications, which often serve as a pretext for malware delivery. ClamAV and ML classifiers also flagged this PDF as malicious, reinforcing the phishing and trojan classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=ares+virus+mod+apk+1.0.6+unlimited+money
    • https://pewoguliburutoj.weebly.com/uploads/1/3/4/2/134234653/e4918aa.pdf
    • https://static.s123-cdn-static.com/uploads/4482870/normal_5fcce2bcc589f.pdf
    • https://pazisurezufil.weebly.com/uploads/1/3/4/5/134594691/846f35bab3a6d.pdf
    • https://bowetupivivuz.weebly.com/uploads/1/3/1/4/131437724/9802315.pdf
    • https://safasisi.weebly.com/uploads/1/3/4/4/134472516/5199613.pdf
    • https://static.s123-cdn-static.com/uploads/4466161/normal_5fe0cd46de84c.pdf
    • https://tofabefanij.weebly.com/uploads/1/3/4/7/134726630/f9423ee2e99a.pdf
    • http://kudeduvedum.iblogger.org/62075357172.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/tixedujegibex/53199490314.pdf
    • http://lonivone.rf.gd/konunovujuxawidaw.pdf
    • https://uploads.strikinglycdn.com/files/6973cf2a-4595-4581-8069-3a7db0627c75/what_did_stephen_hawking_accomplish.pdf
    • https://s3.amazonaws.com/benubapopikaj/wordscapes_level_111_answers.pdf
    • https://s3.amazonaws.com/xamibebulosaxug/jebirobezupolumajemiwak.pdf
    • https://uploads.strikinglycdn.com/files/6d1b62ad-ad08-439a-aa2f-8b0571939579/how_to_start_cuisinart_coffee_maker_with_grinder.pdf
    • https://uploads.strikinglycdn.com/files/5485584b-50fa-4d98-bade-30ed184d2701/kenmore_elite_oasis_washer_error_code_f54.pdf
    • http://segixiw.epizy.com/47968644286.pdf
    • https://uploads.strikinglycdn.com/files/81396785-cad6-4d74-a0a6-47718e27c880/baby_got_back_release.pdf
    • https://uploads.strikinglycdn.com/files/d5ae9866-778f-4b76-911b-63da261047d5/18515925662.pdf
    • https://uploads.strikinglycdn.com/files/37df2e3e-1808-46fd-bf04-9ab340c70b6a/basevebosoza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef4d.bin
e5b70c201330f609ef2d6a1033c94189d0cf31217753814bbf7c28ef96d37ca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF4D 5580 bytes
font_01_sfnt_off0001024a.bin
323f4ea72dc301219c33ccf6404facf98b006a11569d415beb942f05b9bd6735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1024A 11016 bytes
font_02_sfnt_off0001281e.bin
d78d7cc1a68daa951b4fbccbcfb906d5a08ad384f187125596154666a45abe72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1281E 16060 bytes
font_03_sfnt_off00013cb3.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13CB3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.