Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebf2792926b164c9…

MALICIOUS

PDF

74.1 KB Created: 2021-03-18 00:10:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 045917cdab3c253c14907e7a3c7cb6d1 SHA-1: d648db6d483034a745daf0c6686b59336d45499c SHA-256: ebf2792926b164c99d9f4dfbc5d31895d8e9bff7da71658209203c39cc32f88b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are likely part of a link farm designed to obscure malicious intent. One of the primary URLs identified is https://kuzutuzo.ru/wix?keyword=final+fantasy+explorers+material+guide, which suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the presence of numerous external links and the overall structure indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=final+fantasy+explorers+material+guide
    • https://cdn.sqhk.co/dupeguwova/fojeZjg/3933470103.pdf
    • https://static.s123-cdn-static.com/uploads/4427780/normal_5fc5e626cd97a.pdf
    • https://cdn.sqhk.co/zowajomi/d6igcjb/cold_war_beta_date_pc.pdf
    • https://cdn.sqhk.co/taxodisilif/oxlXESE/jarulezopa.pdf
    • https://cdn.sqhk.co/nigudovowa/jbtz5ha/wedoroderakezor.pdf
    • https://cdn.sqhk.co/zotenejek/iageAjd/rolling_sky_2_all_levels_2019.pdf
    • https://cdn-cms.f-static.net/uploads/4463300/normal_60129f092e013.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_300216079f1d4603a33d26fa33dd5c6a.pdf?index=true
    • https://s3.amazonaws.com/jutenojamega/how_much_is_james_fletcher_worth.pdf
    • https://d5e9a058-cbdc-4968-ba72-30cdbf1e36a3.filesusr.com/ugd/9cfd0a_0000bf3d2cfe45ac97c265446eb7783b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ec2521d6-cd55-40b5-9403-64587fe1f45c/buwasizudigoguderavenufuv.pdf
    • https://uploads.strikinglycdn.com/files/ca2aa98e-50b3-411c-94ea-5a1d517e3744/how_to_find_the_right_tone_for_a_song.pdf
    • https://s3.amazonaws.com/dogevazapiwediw/opportunistic_infection_in_hiv_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/2a0c6a2c-5b9c-4024-a83b-9bd375d55dca/geralobis.pdf
    • https://uploads.strikinglycdn.com/files/dacbfb06-1f61-4a7d-9eed-73044e9e2668/57308524559.pdf
    • https://uploads.strikinglycdn.com/files/921fddc7-a34a-464e-993b-f78a5a2b8217/how_do_i_get_rid_of_automatic_page_breaks_in_excel.pdf
    • https://s3.amazonaws.com/lowuwofuxali/13717174975.pdf
    • https://uploads.strikinglycdn.com/files/ee449fa1-97a0-4fd8-8a74-9509b0bc0594/1624307100.pdf
    • https://uploads.strikinglycdn.com/files/251becad-50a4-4cbd-90d3-7c130f9a1931/trig_sin_cos_tan_table.pdf
    • https://uploads.strikinglycdn.com/files/382e2645-3f4c-483f-a4d9-ea4d18dc0465/slue_foot_sue_song_lyrics.pdf
    • https://uploads.strikinglycdn.com/files/cfbb1a47-ad6d-4aa5-8c64-77794990b80d/propiedades_qumicas_de_los_materiales_ceramicos.pdf
    • https://uploads.strikinglycdn.com/files/d4128990-a370-4a3d-ad77-24aeb43b0d42/bokukixoje.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e664.bin
b8bf04bd2043643373f857d49b63fe733582f76f81b56c8477a1742f09241a29		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE664 5484 bytes
font_01_sfnt_off0000f90f.bin
3d6aa2bb73973d9b42e6b4ba3f64c18c7830fadff68e0332c15f9c2dad1b6522		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF90F 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.