Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9aaab93400c3763…

MALICIOUS

PDF

73.7 KB Created: 2021-04-16 02:24:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41ca63a3b90b399026b34c39b879be52 SHA-1: d7ddca2bb81b455be838f2d3bc1ca5f8361542bb SHA-256: f9aaab93400c376397e98527e42c655227dda6765056198ced911030717ea4db
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting a link farm or phishing operation. One of the embedded URLs, 'https://xezojetit.ru/strik?utm_term=club+dead+t+shirts+vintage', is a primary indicator of this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=club+dead+t+shirts+vintage
    • http://playmarket-online.com/74177085607jb29.pdf
    • http://1eyvgo.xyz/what_causes_middle_ear_problemsnyeuv.pdf
    • http://tihefers.online/past_simple_passive_exercises_printableugp7y.pdf
    • http://obzorov.site/how_to_resist_interrogation_techniques5omm8.pdf
    • http://mogimetekojubar.scienceontheweb.net/capricho_arabe_tarrega.pdf
    • http://trysol.xyz/tijez1i2tp.pdf
    • http://xomunuxeju.sportsontheweb.net/esercizi_di_analisi_logica.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/fc8b67c1-5398-4969-adaf-5b945d2e80c8/79276088090.pdf
    • https://uploads.strikinglycdn.com/files/4a4cefbc-fb1f-43b4-b75e-c7ecb9787a14/what_jobs_pay_prevailing_wage.pdf
    • https://uploads.strikinglycdn.com/files/e77d83b7-6315-41b8-aa2e-8d50d0ae4628/how_to_fix_no_sound_on_disney_plus_sony_tv.pdf
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_ceab400531154dc184a29767d7d9338d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1644937f-356f-4b0a-8554-d9fd43ea84ba/20494749060.pdf
    • https://33da92c3-26de-4f6b-bf12-1693cb6a6e79.filesusr.com/ugd/0307f2_c1eb2adb60c94e74ab005ef7a5ab2e00.pdf?index=true
    • https://ecbea88f-e321-487e-b3ee-b24acecca261.filesusr.com/ugd/738632_f503606993314717afc180ee8195c1ff.pdf?index=true
    • https://uploads.strikinglycdn.com/files/33036da6-682b-4d7d-931b-b4a9cb72dec3/bach_cello_suite_1_prelude_sheet_music_violin.pdf
    • https://uploads.strikinglycdn.com/files/be7c6db0-fad2-49b1-b7be-2051f1f6c4a6/supovibedimajadumox.pdf
    • https://uploads.strikinglycdn.com/files/ae6e9270-da40-4f48-a25a-ca0f231a6d45/sahih_bukhari_in_urdu_download.pdf
    • https://uploads.strikinglycdn.com/files/239be12c-dbf0-4cac-ab6b-6a7e12284299/pasoximubunafuxizemu.pdf
    • https://uploads.strikinglycdn.com/files/39f44141-ef8e-439f-b59a-ed1fcda93b20/23157347887.pdf
    • http://xarilupinedup.myartsonline.com/achyutam_keshavam_lyrics_in_english.pdf
    • https://9e28b13d-ef5c-4d18-821e-e071a8932918.filesusr.com/ugd/0b0738_77a65477872f4b5d84387df668d2f189.pdf?index=true
    • https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_c6608d094e47412086c4a0b0e8ea5a8e.pdf?index=true
    • https://73b3f487-90f5-41a6-bf44-750372f72efd.filesusr.com/ugd/39e8d0_ed1beb71d11a4feea1ece2488c231776.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4eddf17c-d6f7-4c7a-bf97-90ac10083e1e/46122371447.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6cb.bin
9bcd41b5b6fb01c6a8259cd5fb88bf9365ce51f39f1b9e8295896a48ce74257b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6CB 5080 bytes
font_01_sfnt_off0000e804.bin
84dced72483a040055fb2974635689c63d4796823ba82e06e102ead1305c8fcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE804 10300 bytes
font_02_sfnt_off00010b3d.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B3D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.