Malicious PDF — malware analysis report

Static analysis result for SHA-256 eca3c8bb75623247…

MALICIOUS

PDF

77.6 KB Created: 2021-03-23 00:45:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4739de720d88f220f2b0649c5b1d55c SHA-1: 92ebd8163a258172fcc7f9184726f9e6beb69f03 SHA-256: eca3c8bb756232472b4433acef5d5649c22e38d293321019e585243dfaf4ab43
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized, suggesting a link farm or spamming operation. The primary URL, https://jacksth.ru/award?keyword=brownian+motion+worksheet+pdf, is presented as a worksheet, which is a common lure for phishing or malware distribution. No scripts were extracted, but the extensive link farm and the ML classifier's high confidence indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=brownian+motion+worksheet+pdf
    • https://zelowomuguzak.weebly.com/uploads/1/3/1/3/131379017/5c885cec36ee021.pdf
    • https://merogowaxoku.weebly.com/uploads/1/3/1/0/131069891/689e8b2.pdf
    • https://girusetobar.weebly.com/uploads/1/3/1/0/131071114/c8664f.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kimone/harry_potter_and_the_philosophers_stone_movie_short_summary.pdf
    • https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_ffd7069dc7f649559d68508e8767214b.pdf?index=true
    • https://s3.amazonaws.com/febopa/hill_climb_racing_2_car_guide.pdf
    • https://3c86e5df-9a55-47dd-9d5b-c207b25ec6cd.filesusr.com/ugd/72bf36_e194a76bf861482ab9df3c474bcd7651.pdf?index=true
    • http://rebobimakefeli.epizy.com/letter_b_worksheets_for_1st_grade.pdf
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_bab72757e54f4ea2af03bc60ec4da43c.pdf?index=true
    • https://99b08629-27b2-41dd-83a1-938dc2ca35bd.filesusr.com/ugd/067ecb_00812e70e9d24c8e9e626728e59e832f.pdf?index=true
    • http://relumewamamit.rf.gd/word_problems_addition_worksheets_2nd_grade.pdf
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_5c0ba7a8508047ddbf85c928451bb6a5.pdf?index=true
    • https://81da36f4-dec6-4bf4-836b-19ed67500659.filesusr.com/ugd/5fd5c1_682e38b3e9324548aff0f595057d2c57.pdf?index=true
    • http://wosoremozojofam.epizy.com/apoptosis_mechanism.pdf
    • https://cfff6b0e-fc0f-4d9c-a983-c0e60c8b2bfd.filesusr.com/ugd/c637e3_6956078265c5486ab64a204727fd7e30.pdf?index=true
    • https://s3.amazonaws.com/nuxomigo/matlab_plot_circle_points.pdf
    • https://6e8b94c7-278c-4a65-9c30-8d61c93a8f31.filesusr.com/ugd/9ff9b8_bef5f18458004ef09de710d61846c37e.pdf?index=true
    • https://s3.amazonaws.com/babetafaperaxov/how_long_does_it_take_to_get_a_bartending_license_in_ny.pdf
    • https://90ff81fc-98d9-4e53-96a3-aaa5c1c2042e.filesusr.com/ugd/bb5aff_baea78e6c9404149814b6296ce71d75f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d86a.bin
14a4b8afc25e43b54177d0eaefd102d54f9275f2acc3b963a19a848b09aded5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD86A 6504 bytes
font_01_sfnt_off0000e868.bin
f5766cf89e088ae93b9ad2f718d3945859a4d3dea152136bd4522bf514dffaa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE868 2836 bytes
font_02_sfnt_off0000f4b3.bin
f07c59a46bdcd6d73a2bd716636ec10a1f19c0b274d4fa344a81c4bfe9c3e306		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4B3 5456 bytes
font_03_sfnt_off0001072d.bin
2ccd90146cc80bc087a618ae19aa7241b6c0f64b5d286f5b56fd915c187561e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1072D 9760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.