Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaeaa7c8e25fc46d…

MALICIOUS

PDF

73.1 KB Created: 2021-04-07 04:08:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a43a0b14c4ff99e719b78681210a9d23 SHA-1: 304546afc1d32e808f95c4819d5325601bd77886 SHA-256: eaeaa7c8e25fc46d9fd12f2f4d79fd729ca0bf16a356b9907d2f008adf65d3ab
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO poisoning and distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. The embedded URLs, such as 'https://lozipotod.ru/wix?keyword=lyrics+to+clean+up+woman', suggest a lure to trick users into visiting potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=lyrics+to+clean+up+woman
    • http://neyroskakalka.site/how_do_you_fix_a_noisy_dryer_drumgdks3.pdf
    • http://sport-stavki.fun/why_isnt_my_mic_letting_me_talk_on_xboxbnzyy.pdf
    • https://bolafuba.weebly.com/uploads/1/3/4/6/134668532/4259382.pdf
    • https://kosazalosir.weebly.com/uploads/1/3/2/8/132815054/xixetapavulopuz.pdf
    • http://afracheat9.xyz/timisofasasewomerukezjhbjr.pdf
    • https://vufofameti.weebly.com/uploads/1/3/0/8/130874118/zibewojowul.pdf
    • http://itasda.online/what_order_should_i_read_the_wings_of_fire_booksgoti2.pdf
    • http://inertbhjbj.ru/ielts_general_writing_task_2_sample_essaysjcb0x.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bepapogijarepub.rf.gd/abramelin_mathers.pdf
    • http://wijetifosoxi.epizy.com/puwenuninewafigenolago.pdf
    • http://pedoboxituroz.epizy.com/12634220120.pdf
    • https://uploads.strikinglycdn.com/files/18ab6045-d830-4f3b-9242-3c7c66be3c1c/fitzgerald_the_beautiful_and_damned_summary.pdf
    • https://ca108e69-7b6b-43f0-8f16-d96ebeb8a33d.filesusr.com/ugd/79e0dc_27ecb74e2017442c931e5e9b8b071fa5.pdf?index=true
    • https://da550aaf-34ae-4f9b-ad82-7836b82beebe.filesusr.com/ugd/a203e6_c23ddc75eca84261bb75137b640d6de9.pdf?index=true
    • https://9c43cb74-45e3-47de-9527-fda2e8336169.filesusr.com/ugd/af0aa9_6b08fc0a4ca94dd6a0c57e8d0b7d1bf3.pdf?index=true
    • https://f98f40d2-b649-4e6b-99af-b89bbf2331ff.filesusr.com/ugd/724bd4_e3aa9acc8dfd40b89009544d35259eab.pdf?index=true
    • https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_8910cca4e5634c1999af02d87506f415.pdf?index=true
    • https://5e9816b5-e261-4a84-a5c7-594b6999e1c8.filesusr.com/ugd/eb2f7d_06f45dfdc9524121a7879ab85b47105f.pdf?index=true
    • https://709e7e89-b264-4d73-b757-064736ed86f1.filesusr.com/ugd/f523c3_d5adbc110f674e29a6feb97bbbab45ce.pdf?index=true
    • https://d90bda3b-35dd-409f-9d4b-b4a00d881a52.filesusr.com/ugd/b88e3d_851c8724d164411fa85b4b8526044e24.pdf?index=true
    • https://uploads.strikinglycdn.com/files/09f973e7-cb6a-4455-b4d7-eef4912e87de/machine_learning_tutorial_powerpoint.pdf
    • https://59b7e61f-9850-45ee-add2-e9646db267e4.filesusr.com/ugd/5b9365_3deac86ecbee4b15a4222fad106c418d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df8e.bin
b94e4f633c691d97fde1e1a3029f3c27c9ab90de3a0f79f519bfc5621bf0bf54		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8E 5212 bytes
font_01_sfnt_off0000f154.bin
10d15f0fd9c938b7237daaa4dc9765cff24f0f0ba18dc6705f4892d5c7b6bfbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF154 11060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.