Malicious PDF — malware analysis report

Static analysis result for SHA-256 f283c83426bbfb98…

MALICIOUS

PDF

90.3 KB Created: 2021-03-28 11:34:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: d984b5d9ddceb952e99733099b670a4a SHA-1: b1e0769ee617f32bdd38d5b977faab2071911d99 SHA-256: f283c83426bbfb98faa379d46930fe1bc1730cc9e53b016b280007d5b2fa19c2
126 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains text that appears to be a lure related to a "binary division algorithm pdf". The primary malicious indicator is the embedded URL pointing to `https://mezovuduw.ru/award`, which is likely used for phishing or to serve a secondary payload. The PDF also contains numerous other URLs, many of which are hosted on disposable domains, further supporting a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=binary+division+algorithm+pdf PDF link annotation
    • http://re-prime.ru/how_to_get_directv_remote_to_work_with_receiver9hi0x.pdfIn PDF document text
    • http://semengergel.ru/cute_black_boy_names_that_start_with_di9o61.pdfIn PDF document text
    • http://form-copyrightservices.com/examples_of_rhetorical_devices_used_in_i_have_a_dream_speechac8xz.pdfIn PDF document text
    • http://tixshopclub.fun/alarma_buster_manualvuvdy.pdfIn PDF document text
    • http://mp4.design/xufuzitipofatupapipvcf6.pdfIn PDF document text
    • http://fabulouss.space/54324422827ik9y.pdfIn PDF document text
    • http://purpless.vip/fedex_black_and_white_logor00c9.pdfIn PDF document text
    • http://siankaanmexico.com/historia_de_una_monjantfue.pdfIn PDF document text
    • http://cuzinfo.ru/rbse_solutions_for_class_10_science_in_hindie1w79.pdfIn PDF document text
    • http://blu-ital.space/jirivabejodovomimadikesojghk.pdfIn PDF document text
    • https://cdn.sqhk.co/bexefoboxevi/cjeYicJ/jojidibotowefiwidume.pdfIn PDF document text
    • https://cdn.sqhk.co/paxepilekot/bCqjfgd/mobile_recharge_number_dena.pdfIn PDF document text
    • http://opensalle.xyz/what_did_slaves_do_in_brazila13zu.pdfIn PDF document text
    • https://cdn.sqhk.co/wokowuvawuz/egSibji/nubuja.pdfIn PDF document text
    • https://cdn.sqhk.co/joxopejufito/akhgET9/relijaxadidulosed.pdfIn PDF document text
    • http://tacfitproducts.com/coleman_powermate_2750_pressure_washer_partselzr6.pdfIn PDF document text
    • http://organicnu.info/movado_series_800_rubber_strap_replacementlu08g.pdfIn PDF document text
    • http://feedbacrnz.space/smash_wii_u_release_dateoxaeh.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_890d635927c346a68299368b85294e4b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/103be29f-4b4b-4eda-91e3-399ddd6eb983/41380758831.pdfIn PDF document text
    • https://e4da1597-3bb3-488b-9226-7c2c9e06e9ce.filesusr.com/ugd/db5d73_194a518ee68e4ce1a4d07364de52b13c.pdf?index=trueIn PDF document text
    • https://98350ace-7ac4-4f38-a9d9-579fdad8050b.filesusr.com/ugd/9b2d9b_888e41b0467b4794b95aabb8db05af7a.pdf?index=trueIn PDF document text
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_6af9f77ddc5743eea08256893f0372f3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/85eb276b-495f-4db1-837a-20ebe67dee38/the_experience_economy_updated_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d69e6f1e-7efb-4b98-97eb-7bc0dd39971e/45873033886.pdfIn PDF document text
    • https://45dcde1a-aed5-4138-b95e-a0f768a283bf.filesusr.com/ugd/89441e_241bba989cef41a2a3e6ada463283894.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010875.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10875 5668 bytes
SHA-256: 9e371f7b10f7f1fbccef309eb10f1dc2d2a462e0db8a08c0334d549035cb86e4
font_01_sfnt_off00011ba0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11BA0 12348 bytes
SHA-256: c82712273978982538c6272729bd28143037471f80aaff8c58f51833edf9cab9
font_02_sfnt_off0001461c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1461C 16136 bytes
SHA-256: 47797f690123d35f1d5da2e12ebd88c9edd636d4b973538e360fe3fdf29afd2f

Open this report in the interactive analyzer, or submit your own file for analysis.