Malicious PDF — malware analysis report

Static analysis result for SHA-256 eede71b4f2046cbd…

MALICIOUS

PDF

76.4 KB Created: 2021-04-21 23:20:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 28758147c1a0d2e153340ecc1b443860 SHA-1: 25f7048a37f27be69d7450de3a12b8cefac28a62 SHA-256: eede71b4f2046cbdb39982f9b221f05ac7b23aaf098caeb68942fa67d841726f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links to external websites, many of which appear to be part of a link farm designed for SEO manipulation. The document body, though heavily obfuscated, contains a URL that suggests a lure related to dream interpretation. The ML classifier strongly indicated maliciousness, and the presence of many external links points towards a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=what+does+609+mean+in+your+dreams
    • https://rojanebe.weebly.com/uploads/1/3/1/6/131637229/dozarurop.pdf
    • https://cdn-cms.f-static.net/uploads/4380694/normal_603b4bc0a1390.pdf
    • http://zakemelevij.iblogger.org/31482265335.pdf
    • http://padlamadla.site/repost_stories_for_instagram_apkrs05a.pdf
    • http://interplast.ru/systematic_biology_author_guidelines3782i.pdf
    • http://about-central.com/75313527200lulb7.pdf
    • https://cdn-cms.f-static.net/uploads/4501360/normal_605f2893f39c1.pdf
    • https://static.s123-cdn-static.com/uploads/4420037/normal_600262ea4465a.pdf
    • https://vesanawe.weebly.com/uploads/1/3/4/6/134602832/fizowen-zegoroxuzuwa-vulewod.pdf
    • https://nokesopupikes.weebly.com/uploads/1/3/4/7/134767934/2d34fd431dd0.pdf
    • https://static.s123-cdn-static.com/uploads/4490244/normal_5fe4f9799f3b1.pdf
    • http://olipaka.xyz/154832701642bgfc.pdf
    • https://static.s123-cdn-static.com/uploads/4381320/normal_6007cbd48fd77.pdf
    • https://cdn-cms.f-static.net/uploads/4446494/normal_5fdbb592c72fd.pdf
    • http://mybestchan.online/what_are_kind_words_that_start_with_the_letter_yhiiy0.pdf
    • https://cdn-cms.f-static.net/uploads/4386094/normal_6064f8971b973.pdf
    • https://cdn-cms.f-static.net/uploads/4388839/normal_60123e3bd5df4.pdf
    • https://cdn-cms.f-static.net/uploads/4369509/normal_6031f2a6e0fbb.pdf
    • https://cdn-cms.f-static.net/uploads/4498997/normal_5fdb3970bec6a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vavabi/platos_symposium_sparknotes.pdf
    • http://jukopofavim.epizy.com/telugu_to_english_dictionary_free_download_full_version.pdf
    • http://vuxotuketut.rf.gd/cloudformation_s3_bucket_encryption.pdf
    • http://jijaxipejor.rf.gd/carryon_my_wayward_son_guitar_tab.pdf
    • https://s3.amazonaws.com/xebuvuwov/mesijusorowunujodate.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaef.bin
d6d62bb70ce709cb6ae1d643c47ff8f5fefb4661f09dcad03a1e006ee0a263c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAEF 5600 bytes
font_01_sfnt_off0000fdd5.bin
2d0883b559f2cc992606eff660b7dfdfa37eeed86c43dec2ff56ea5f115fe5ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDD5 11288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.