Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6aef663308bb29d…

MALICIOUS

PDF

87.2 KB Created: 2021-03-31 19:48:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b11a7a0d691ab08cdf7e5cbfbd61fd4 SHA-1: 7950941547342808034c699372144eae95b04605 SHA-256: e6aef663308bb29d8793752271c90e66eddc895db6378880e8515971ee6ef460
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it's part of a link farm designed to manipulate search engine results or redirect users to potentially harmful content. The primary URL identified is https://seumenha.ru/strik, which is likely the entry point for this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=how+many+chapters+are+in+the+third+harry+potter+book
    • https://nibuduki.weebly.com/uploads/1/3/5/3/135314859/0e5498302b81f64.pdf
    • https://vipegiwofavagob.weebly.com/uploads/1/3/5/3/135302795/fiwaxisuno.pdf
    • http://mutujejeturuduf.medianewsonline.com/sebises.pdf
    • http://nibewubixela.getenjoyment.net/27531979069.pdf
    • https://pidujalibogi.weebly.com/uploads/1/3/1/3/131380128/333443.pdf
    • https://deponoma.weebly.com/uploads/1/3/2/6/132696267/4726009.pdf
    • https://rumodabumuxe.weebly.com/uploads/1/3/1/8/131857513/7be9e920d5a1b.pdf
    • https://vawosikajoj.weebly.com/uploads/1/3/1/4/131438279/nositudevoto.pdf
    • http://gubuxuk.scienceontheweb.net/cardias_definicion.pdf
    • http://getepitisux.mywebcommunity.org/how_to_fix_a_samsung_tablet_charger_port.pdf
    • http://niwizonoleror.mywebcommunity.org/archaeology_textbook.pdf
    • https://wimelavejitovuv.weebly.com/uploads/1/3/4/5/134597731/keluj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/a24b6a0f-9afe-40f4-99f0-bb2d29a79369/kivusuxedinibole.pdf
    • http://tikomiwewo.atwebpages.com/37456303577.pdf
    • https://uploads.strikinglycdn.com/files/87a2ea4b-a27d-46fc-8214-004fbc50d4c9/what_degree_do_you_need_to_be_an_educational_psychologist.pdf
    • http://tuzuxutetug.atwebpages.com/pideruzeri.pdf
    • https://uploads.strikinglycdn.com/files/5a3f0043-ab46-4d58-946c-4677e440baed/is_seo_dying.pdf
    • https://uploads.strikinglycdn.com/files/b888db53-3d2e-4c37-95d6-0fbdc486eb46/30556072616.pdf
    • http://negumigimewote.onlinewebshop.net/aadhaar_card_download_online.pdf
    • http://wazipegemezen.atwebpages.com/pubanoregigiviwu.pdf
    • https://uploads.strikinglycdn.com/files/5bc55fbb-cc24-46ca-9390-66387fbe67e4/human_resource_management_salary_in_pakistan.pdf
    • https://uploads.strikinglycdn.com/files/a21d44ec-a621-49dd-9efc-45d4619169ff/19210844700.pdf
    • https://uploads.strikinglycdn.com/files/c3359ee3-8930-4853-b7c8-32bcff3d1ae4/how_to_use_the_hoover_max_extract_carpet_cleaner.pdf
    • https://uploads.strikinglycdn.com/files/fa9c0ac3-1bf2-418c-8bff-dc7eaf4390cd/denigaxalofe.pdf
    • https://uploads.strikinglycdn.com/files/1adfb206-75fd-45ea-8989-db766a3f4df7/best_study_guide_bible.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b23.bin
532c81a541ad043443767f72f93ff7734aaef0a31814648338b2c393ee1a3c69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B23 5428 bytes
font_01_sfnt_off00011d64.bin
73324afc8ee4a6fc6d3605b2136c58c0df4e810e0cdb528f3e9a0b8b62161fee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D64 10384 bytes
font_02_sfnt_off000140be.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140BE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.