Malicious PDF — malware analysis report

Static analysis result for SHA-256 f47fda127fe62a08…

MALICIOUS

PDF

76.8 KB Created: 2021-04-19 21:54:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d98ff4d0e53ab8d20d1f83770e5c5ec4 SHA-1: d5588bb368c093a571453d7f4c7916dc0757c25e SHA-256: f47fda127fe62a087a5688404a6714988d4e2bf2f0df9809b1d08dbd88ef730b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was identified as malicious by a machine learning classifier and ClamAV, indicating a phishing or trojan threat. It functions as a link farm, containing numerous external URLs, with one prominent URL pointing to `https://soxebez.ru/strik`. The document's structure and the presence of many links suggest an attempt to direct users to potentially harmful content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=what+colleges+have+business+majors
    • http://save50.pro/accessing_the_dark_web_on_androidao2ip.pdf
    • http://usecabinets.xyz/canon_mp470_manualhfavq.pdf
    • http://xitnet.fun/webupowifabudunz6hi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e4da1597-3bb3-488b-9226-7c2c9e06e9ce.filesusr.com/ugd/db5d73_69ac33e94cca435889bf99e22fb31993.pdf?index=true
    • https://s3.amazonaws.com/gasodamuza/dukibujurafe.pdf
    • https://91e55214-10ad-44cf-a10a-60a9392df58b.filesusr.com/ugd/e1c37d_36028cdbb8564042a2a304e69a14a357.pdf?index=true
    • https://s3.amazonaws.com/tuzamada/vofirewibum.pdf
    • https://uploads.strikinglycdn.com/files/10f02d72-1a90-44d4-b1df-fabfb0bd810f/fifty_shades_of_grey_full_movie_free_download_dual_audio_480p.pdf
    • https://11210a16-d5d1-4e17-93a3-27fbbb12f21b.filesusr.com/ugd/fb658e_9067101604444bf9a9072bc836c5b684.pdf?index=true
    • https://466f9527-ada3-48b4-ac0c-4ba5546996ca.filesusr.com/ugd/a4b6b9_c00adf98fb22427fa7178f8e40c55bc7.pdf?index=true
    • https://9169454a-6e45-4b39-89c4-5cd9bf0a6084.filesusr.com/ugd/32fbc8_2bed61f6572348f7bf1abb4bf8112bed.pdf?index=true
    • http://zoloxufiz.epizy.com/kerboodle_answers_activate_2.pdf
    • https://s3.amazonaws.com/nimuwet/bootstrap_blog_template_html.pdf
    • http://jutenolare.rf.gd/lalolejitakarexo.pdf
    • https://uploads.strikinglycdn.com/files/1e26b288-79c6-4f92-bf55-dc27b69c4390/26340429949.pdf
    • https://03dfb0eb-7fe6-4188-ad87-ea2b88df7b19.filesusr.com/ugd/f967ac_35ed29d440e544ee80958da333f7c11e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bdf40307-572e-4d46-ad35-6fcbe4ffe42d/15577396816.pdf
    • https://c8f0d892-4c73-447a-841b-b6a48a565a7d.filesusr.com/ugd/928a57_dba23de954a64253bdfb5229fb52b32f.pdf?index=true
    • https://07e0a16e-b77d-475b-b724-88bbaedb347c.filesusr.com/ugd/8e9e2f_09f2b768d7334acc8881a833ae1f9c7e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/04ba1e08-7ef7-4b7a-b1a8-785e9642cc18/deepak_chopra_21_day_meditation_day_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed1a.bin
cbd55461ee67a304679e6525e8491734ea78331cd1a0178930524900d873d57c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED1A 5500 bytes
font_01_sfnt_off0000ffbd.bin
b7de1d21fccc86340d39eeed349973c1e36a263098282f080a7542e7d0e6c054		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFBD 11288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.