Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0e163927f9dd45f…

MALICIOUS

PDF

76.0 KB Created: 2021-03-10 16:00:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aaa0f44c9c37d2ab22a8ec74efab67ce SHA-1: d60337eafcc572f097f160d44ea9ebc16086218e SHA-256: f0e163927f9dd45ffb40bd300290d1e6e8436d0b1a28b49a6f05dba3e0651b08
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used in link farm attacks to manipulate search engine rankings or distribute malicious content. The primary malicious URL identified is https://mezovuduw.ru/wix?keyword=alpha+sapphire+legendary+guide, which is likely used to redirect users to a phishing or malware site. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=alpha+sapphire+legendary+guide
    • https://cdn-cms.f-static.net/uploads/4479925/normal_6029fc237ee43.pdf
    • https://static.s123-cdn-static.com/uploads/4393511/normal_5ff4959b72342.pdf
    • https://static.s123-cdn-static.com/uploads/4466398/normal_5ffca7ef31748.pdf
    • http://poniwipojoxowo.22web.org/lagu_agust_d_jimin_tony_montana.pdf
    • https://static.s123-cdn-static.com/uploads/4462065/normal_5ff3b3f71e6ed.pdf
    • https://cdn-cms.f-static.net/uploads/4463005/normal_5fd0efcfbca46.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9c12218e-e157-4070-b33f-4467b3cb42bb.filesusr.com/ugd/0c60a0_6b2b8f1802c24c8eaacc4af29989d941.pdf?index=true
    • http://lapekekefexe.rf.gd/romeo_juliet_full_movie_tamil_dubbed.pdf
    • https://uploads.strikinglycdn.com/files/318f1360-9e13-4e9b-bff8-9ede9b4c0a05/graco_pack_n_play_quick_connect_mattress_size.pdf
    • http://pakewerulawe.rf.gd/15017146933.pdf
    • https://45180a89-8b92-4d54-a4c6-cdf0ad6af3c7.filesusr.com/ugd/2b98a3_1914476a70824b11900f9969cbb0a9b1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/95e33629-165f-4b3a-a22e-ee2767a5026b/silemuzuzuwo.pdf
    • https://0a01f052-6ee6-4bfa-868d-d2e49373b03f.filesusr.com/ugd/55f640_2de1cdef349f4bbab8df625184c59e06.pdf?index=true
    • https://891dfe3a-8969-4df2-b253-5ccc4ebbb7a0.filesusr.com/ugd/e66789_53f65689ff6f4c3b9d5a84d14d1cc58f.pdf?index=true
    • https://6131fb9f-3080-406c-a6ab-c4686b6a2f6f.filesusr.com/ugd/52be6f_458b4da7fcc94d13bf87b4d73453bae8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c2030111-3b5c-4b73-80fd-e52df3fd8ee8/fapiwikukug.pdf
    • http://notaruk.rf.gd/aliens_night_full_movie.pdf
    • https://uploads.strikinglycdn.com/files/1fc0e184-b40a-4603-9fb9-6591e97926a2/92914810725.pdf
    • https://uploads.strikinglycdn.com/files/88b4b84a-7947-43ec-a8f9-482ec1038c37/char_broil_big_easy_beef_ribs.pdf
    • https://uploads.strikinglycdn.com/files/f8949108-516b-4d7a-83eb-55c5c1160610/64588091620.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed79.bin
3cd6cac50981f99c3d751dff20b4f25c269248eb5ed2f9263bc8120d0f5b63fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED79 5312 bytes
font_01_sfnt_off0000ff85.bin
c23c479cf64efb0141fb6422a1fefaf825c47d382d1ac3266c0a2304ff1e46ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF85 10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.