Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef7a8feeff6c2c3b…

MALICIOUS

PDF

92.9 KB Created: 2021-03-10 02:40:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65eb48ef8adc3ae7c2b6c2eaaf296b87 SHA-1: 2df6b8f42d4ce3f14d0c337122aa092b8cfa55a4 SHA-256: ef7a8feeff6c2c3b35b75b9c37cb1b92dc27028780fd934902f35c76d302c30f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to benign-looking PDFs but one specific URL, 'https://resalured.ru/123?utm_term=puppet+tool+after+effects+free', is flagged as unknown and is likely the primary malicious destination. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically related to phishing. Although no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to redirect users to malicious content, potentially for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=puppet+tool+after+effects+free
    • https://busegozujukot.weebly.com/uploads/1/3/0/8/130874370/1971215.pdf
    • http://bufenukaje.22web.org/how_to_create_a_logo_in_photoshop_cs6_for_beginners.pdf
    • https://cdn-cms.f-static.net/uploads/4474985/normal_5fd126addc8c6.pdf
    • https://rivezotuxo.weebly.com/uploads/1/3/5/3/135337491/9122419.pdf
    • http://veritebadisifif.iblogger.org/vedic_astrology_basics_for_beginners.pdf
    • https://static.s123-cdn-static.com/uploads/4445877/normal_5ffd07950502d.pdf
    • https://cdn-cms.f-static.net/uploads/4370275/normal_602e11e335a16.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/labitajaxatufib/guided_bus_tours_of_ireland_and_scotland.pdf
    • https://s3.amazonaws.com/xupimaral/les_mis_film_trailer.pdf
    • https://s3.amazonaws.com/wibedubosateg/sezerowutefaturojej.pdf
    • https://s3.amazonaws.com/piradi/25001813602.pdf
    • https://6d5fec37-5936-4ae8-8938-03a86e982f09.filesusr.com/ugd/d4da64_b591958c25ef474f8a7a9d0f8066860d.pdf?index=true
    • http://tumirukilifu.rf.gd/29365987927.pdf
    • https://s3.amazonaws.com/jixeremipet/12507016009.pdf
    • https://s3.amazonaws.com/tolivajupeku/sri_rudram_namakam_chamakam_telugu_meaning.pdf
    • http://kavolimuteso.epizy.com/46667233981.pdf
    • http://taluzeze.rf.gd/xifebatigu.pdf
    • https://a121017b-3fb3-450c-9156-48dd71a9bf80.filesusr.com/ugd/07625c_d5d5d11ed9714a5788615bcd56a7785f.pdf?index=true
    • https://171e2b11-24ea-4535-acac-f971ec821c4b.filesusr.com/ugd/a07927_874e298d49864dda978fa0d4dc454b35.pdf?index=true
    • https://0b7b936c-93ac-4a60-9644-6ba220b934cc.filesusr.com/ugd/b4bf80_15b55ba18bbe4fdba6653e5d383eb190.pdf?index=true
    • https://858e1da1-ad31-4e5b-aec0-89c59c6c71f6.filesusr.com/ugd/6240f8_98c036b1f51e43afb05823518d857456.pdf?index=true
    • https://s3.amazonaws.com/zewimu/90067439307.pdf
    • https://s3.amazonaws.com/vexeliku/20_minute_guided_meditation_for_relaxation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001179f.bin
3132ee8f33fe19709c76694b703dbbc406b568f63867697ed67d56962b933722		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1179F 5008 bytes
font_01_sfnt_off000128bb.bin
e10e15c5fc46815cf3d575e6a9a889014e5562faf13732c7529db7a434e3d237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128BB 12180 bytes
font_02_sfnt_off000150a0.bin
a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150A0 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.