Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6344e51d06b1b6a…

MALICIOUS

PDF

119.0 KB Created: 2021-03-24 17:51:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 131d5b0dbea6de974952c9be1a345ab4 SHA-1: 7f167752efd7032a4a999fe02a32a0a37e261d17 SHA-256: f6344e51d06b1b6a74326e88e87f2e431aa4226863b5d3a89fbd3b12c3f78246
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm designed for SEO manipulation. One prominent URL, 'https://mezovuduw.ru/wix?keyword=yugioh+gx+spirit+caller+puzzle+guide', is directly embedded and likely leads to a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=yugioh+gx+spirit+caller+puzzle+guide
    • https://cdn-cms.f-static.net/uploads/4388165/normal_60144ca559584.pdf
    • https://cdn-cms.f-static.net/uploads/4382003/normal_601cfe7c734fe.pdf
    • https://cdn-cms.f-static.net/uploads/4379615/normal_604cbebcb4eb9.pdf
    • https://static.s123-cdn-static.com/uploads/4417659/normal_60008e31d5a7e.pdf
    • https://static.s123-cdn-static.com/uploads/4414334/normal_5feb079ede668.pdf
    • https://cdn-cms.f-static.net/uploads/4382421/normal_5fe8065ea63d9.pdf
    • https://static.s123-cdn-static.com/uploads/4468296/normal_5fe42b5b7fcf7.pdf
    • https://cdn-cms.f-static.net/uploads/4402932/normal_6052f246cc999.pdf
    • https://cdn.sqhk.co/joxutedunik/RhahFii/multiplayer_29_card_game_app.pdf
    • https://cdn.sqhk.co/molofagaji/UhdDQgd/graphic_designer_salary_per_hour_in_california.pdf
    • https://cdn-cms.f-static.net/uploads/4479439/normal_600d09f5933c6.pdf
    • https://static.s123-cdn-static.com/uploads/4383917/normal_5ff21174db474.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e028ba52-6c86-493e-86b7-fecf7cd1c3eb.filesusr.com/ugd/bcb9fd_a997d45914b24ede8ba331aa2517723e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/abac8a00-f125-4eb3-a822-734107470ef7/adobe_photoshop_tutorials_free_download_in_hindi.pdf
    • https://e06e8306-d71e-4c92-aa1b-e8c52eeb44cb.filesusr.com/ugd/bc4951_661496394c774af79bc42dd87bc2215b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b7069721-3ab1-4d1d-bf3a-2e5561513b91/the_exorcist_series_season_1.pdf
    • https://uploads.strikinglycdn.com/files/e5e57757-70e8-4eeb-9c13-05a1176b628e/modern_warfare_3_cheats_xbox_360_survival_mode.pdf
    • https://6bc553e5-d0de-4278-827a-c77c8eb32fbd.filesusr.com/ugd/4a6c57_01cf9b9fd2b84197af473e6464ad409b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76305756-3775-425a-a258-c32d6660f352/how_do_i_reset_my_keyboard_on_my_kindle_fire.pdf
    • https://uploads.strikinglycdn.com/files/7895922e-30fd-4601-88b4-e79172f8332a/is_there_a_dork_diaries_book_15.pdf
    • https://uploads.strikinglycdn.com/files/c13cb72e-a285-4c9c-b626-a24f4db63d6f/how_to_get_rid_of_gas_with_yoga.pdf
    • https://uploads.strikinglycdn.com/files/c3c9420a-b90d-4eb2-95b5-41113d015a4a/how_to_write_a_travel_writing_essay.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015ea4.bin
1a4b6e06e6942e1dca237bb011d21fb0043f5de3c895cf029d73a550bebf7dc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EA4 7496 bytes
font_01_sfnt_off000177e2.bin
4ed7581db1dffac6b765f4928a7d8ca95525e6251d8eff45a8933d8d5c74a37e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x177E2 5412 bytes
font_02_sfnt_off00018a58.bin
56cbdcb1219ad9eebba6c535bdc43d5ba697864308aea8fcd8bba40da9a609f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18A58 14628 bytes
font_03_sfnt_off0001b731.bin
60f53b17f7925ac1818ac9336ea58fd206fea48872b5377b70e6fb8114080afd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B731 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.