Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa5fe6398e5392f7…

MALICIOUS

PDF

74.4 KB Created: 2021-03-27 23:00:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e4fcc4d11e201adb4464ec1d379da1f SHA-1: b04c843b062cc9c92527aef75a65b53ad3cc9ce4 SHA-256: fa5fe6398e5392f76ff97d611a4fac69bca3fb13bc012beca1b81af07f3dd580
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, specifically flagged as a phishing trojan. It functions as a link farm, presenting numerous external links, some of which are on disposable hosting. The primary URL, 'https://xezojetit.ru/123?utm_term=plague+inc+mod+android+1', suggests a lure related to game downloads, likely to trick users into downloading malware or visiting further malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=plague+inc+mod+android+1
    • https://sevokubataper.weebly.com/uploads/1/3/0/8/130814346/3730326.pdf
    • http://instapodarok.site/pokemon_sun_and_moon_rom_download_fomqj3d.pdf
    • https://cdn.sqhk.co/midipijikami/ihifogf/zotedurovepos.pdf
    • https://kakowafalajoji.weebly.com/uploads/1/3/4/4/134455686/zozuluz.pdf
    • http://voicebftyi.com/fufurujiferfyts.pdf
    • http://kanubanedagag.22web.org/why_is_the_as_curve_upward_sloping.pdf
    • https://cdn.sqhk.co/kuxefoxo/HCdgepI/elasticsearch_bulk_update_performance.pdf
    • https://cdn.sqhk.co/pomisiforuko/eCbgdLO/merchants_auto_insurance.pdf
    • http://dihtyar.online/pabepizutoxxlm4n.pdf
    • https://vamubediva.weebly.com/uploads/1/3/4/9/134901044/dixala.pdf
    • https://cdn.sqhk.co/nazutupim/cgdPpkr/79691960750.pdf
    • http://magnitoli-2ekran.site/corningware_stovetop_percolator_instructionsmbrh6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://76b44699-1094-4fd8-8d4a-70b7be8159c3.filesusr.com/ugd/c450b2_c67bf15b7feb48688643f114146f4f07.pdf?index=true
    • https://9c12218e-e157-4070-b33f-4467b3cb42bb.filesusr.com/ugd/0c60a0_4250120224aa4ecb8cf56c7556e7f8b7.pdf?index=true
    • http://tojozolatenizum.epizy.com/raees_movie_hd_mein.pdf
    • http://xelaful.epizy.com/phonics_worksheets_grade_3.pdf
    • https://ce322291-b3da-4cc2-ae0f-523e25daec44.filesusr.com/ugd/4530da_1cad90e12f704e83a07ebe08aa05eee2.pdf?index=true
    • http://daduzafez.epizy.com/laximos.pdf
    • https://7ffe38df-ef78-47a1-8632-a9c579db478a.filesusr.com/ugd/8ff694_80bf3ce67a944c6cb9acc52f00b27f4a.pdf?index=true
    • https://36535336-4f9e-4c0a-b1ad-3385cb5d4299.filesusr.com/ugd/15ebe2_0dc3d649d9d443a1ad26839c8e018346.pdf?index=true
    • https://36535336-4f9e-4c0a-b1ad-3385cb5d4299.filesusr.com/ugd/15ebe2_7a3775309f93496c92ef3c054b452bf5.pdf?index=true
    • https://f06ae689-34e6-4fd9-b749-a5985747e370.filesusr.com/ugd/4117a9_54c2f4d6e70240bc90db4408535a4c57.pdf?index=true
    • https://dc010c70-835d-4b56-8cb0-1e1bda7cab64.filesusr.com/ugd/fb576b_2b9ffd90ff544ba8b12f1d31ef299981.pdf?index=true
    • http://bazuliditufo.epizy.com/86630521089.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db3c.bin
a0c95cdcadd117e047242713a53d87a1a889a868e073145d96397f733bd642f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB3C 5136 bytes
font_01_sfnt_off0000ec9e.bin
2d574abff5d13245debb7fcded7ee43a484dcecd88904183c63b11c310d3d4f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC9E 22012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.