Malicious PDF — malware analysis report

Static analysis result for SHA-256 f09d958fb8359f9a…

MALICIOUS

PDF

98.9 KB Created: 2021-03-23 05:40:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ea500f36bce4c861de4d9264f50e1427 SHA-1: a21c5733689104333ba9c198211a67e116f5b14c SHA-256: f09d958fb8359f9aaf090c7e749515776c07fb315f48b1fce9e3bf7c1507fd0a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, flagged as a 'PDF_SEO_LINK_FARM', suggesting a tactic to drive traffic to various sites. One prominent URL, 'https://kuzutuzo.ru/aws?utm_term=tacitus+annals+book+2+translation', is presented in a context that mimics a search result or academic reference, likely as a lure. While no scripts were explicitly extracted, the ML classifier strongly indicates malicious intent, and the overall structure points towards a link-farming or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=tacitus+annals+book+2+translation
    • http://teenagetutor.online/zevewobemor4jeb.pdf
    • http://gayerkan.com/510267702615fbfp.pdf
    • https://rogapunuki.weebly.com/uploads/1/3/4/3/134375427/1eb164.pdf
    • https://cdn.sqhk.co/busoleva/bihjcNB/vojaw.pdf
    • https://cdn.sqhk.co/noxisoture/gSJzhgd/40321543085.pdf
    • https://mulokigapasol.weebly.com/uploads/1/3/1/0/131070847/lovuvaded.pdf
    • https://fidimamafiw.weebly.com/uploads/1/3/4/6/134624465/d1200bca4.pdf
    • https://cdn.sqhk.co/lupobikud/gfzsThd/calculator_app_for_windows_10_offline_installer.pdf
    • https://cdn.sqhk.co/josipinu/HibZjb9/king_of_thieves_bases_list.pdf
    • https://cdn.sqhk.co/kimefutif/gid5txs/air_traffic_control_assistant_salary_uk.pdf
    • http://burrrhey.tech/7461278868643gda.pdf
    • https://xovodozavaso.weebly.com/uploads/1/3/1/0/131069890/5411501.pdf
    • http://podarokinsta.site/singer_5830c_sewing_machine_instruction_manualn2vwa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://b9eb3541-094c-4606-b101-17c2291fd6e1.filesusr.com/ugd/a18601_249ab2a0a79c409ca3df362273fc41bd.pdf?index=true
    • https://7e8267f5-6380-480e-ad72-df526eaefc07.filesusr.com/ugd/cbe325_18b78e77bd5c42ceafaf4f12c88b251f.pdf?index=true
    • https://5057b38b-f250-4925-a5fd-2dbc054a2c1f.filesusr.com/ugd/25ee37_61895de5366a41bf9fd45e4c8e955e78.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c610fb0b-afbc-4c18-a044-48c2c75811f0/captain_underpants_the_first_epic_movie_2_10.pdf
    • https://uploads.strikinglycdn.com/files/2d7ab22e-7a94-49af-ad42-a23883c7015c/vataga.pdf
    • https://042e50b4-45d0-4577-915a-c14d43ab21ad.filesusr.com/ugd/18f527_903bc264fa034ed1bd3ae038823fee54.pdf?index=true
    • https://1437f3f1-f978-4e1b-9120-555090070881.filesusr.com/ugd/d4ef56_a41770da90824cd88ea2cafdaf582427.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b7413210-ee9c-4a16-95c0-c698e428d34a/tasedujuzor.pdf
    • https://cc0b58a5-7bf4-4b41-9cd7-d9bc0cd2cc6f.filesusr.com/ugd/6dc98b_5a087ccda93d449ab044afe04a2ef9ec.pdf?index=true
    • https://6776ac3f-883f-499f-bc52-38dff818ec46.filesusr.com/ugd/969751_3decf8705f564a498b8594cd8d152413.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a8ae20ba-9bd8-42ea-af29-7f06da13462c/the_princes_romance_gambit_read_online.pdf
    • https://uploads.strikinglycdn.com/files/6c40561d-428c-41a7-ac61-9a3d2dd301c2/navy_e4_eval_due_date.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00015628.bin
57ce1199a67385d554a90f3f0f59999c386ce7161b34b6229e9a97d20fcb0ebc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15628 17204 bytes
font_00_sfnt_off00011cac.bin
cf08003fc4b8a8ff75b82cfd5beb6a8164ec4e8c1c0e0d2b6082f4e6bb90ff1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CAC 4844 bytes
font_01_sfnt_off00012d1f.bin
dce5a9509fe34bba2daad07bb95049f1f1b3b34961cd473eadbc2249505c2205		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D1F 13156 bytes
font_03_sfnt_off00016f47.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F47 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.