Malicious PDF — malware analysis report

Static analysis result for SHA-256 faed433b82d74d11…

MALICIOUS

PDF

83.1 KB Created: 2021-03-16 03:22:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61684be6da88653ce389b5877da48224 SHA-1: 11d4d6ea76a96bcada4644a064ca4e3b47623e22 SHA-256: faed433b82d74d118d88a6db23228ae3276398d6754e84cc34f22c8d03b9c36a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The PDF contains a large number of external links, suggesting it functions as a link farm or SEO spam document. One of the primary external links points to 'https://kuzutuzo.ru/wix?keyword=neo+freudians+pdf', which is likely a malicious or phishing destination. The document body is heavily obfuscated and unreadable, but the presence of numerous external links and the ML classifier output strongly indicate a malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=neo+freudians+pdf
    • https://cdn.sqhk.co/sevijeruba/e3U7eP8/tejopiwi.pdf
    • http://shtancircul.site/sitebawimubaniduzojubm8hky.pdf
    • http://goods-amzon.com/how_to_reset_a_delphi_xm_radioh990i.pdf
    • http://foxiduwanati.mygamesonline.org/download_novel_best_seller_2020.pdf
    • http://blankid.ru/aplikasi_genetic_calculator_lovebirdjrjuo.pdf
    • http://ergors.space/xitejiretfs6ln.pdf
    • https://cdn.sqhk.co/tiwefuxab/pGjjjje/jinetarutaxilusujosido.pdf
    • http://leadtop.co/how_much_does_enterprise_charge_to_rent_a_cargo_vanpzrfn.pdf
    • https://cdn.sqhk.co/pazaxefuma/hdBjeBo/mezatifotibakamitaxem.pdf
    • http://foxilajat.sportsontheweb.net/wenujovitif.pdf
    • https://cdn.sqhk.co/votojuxosaf/6RIO9i5/song_pop_2_hacked_apk.pdf
    • https://cdn.sqhk.co/jefigujaxev/gigc0hb/game_mod_big_bang_evolution.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://38f9ccf9-db33-4582-994d-0ea518e52d38.filesusr.com/ugd/368de4_dbc77d03ff4441b089a0bd4627340e8e.pdf?index=true
    • https://9387bd13-3746-4408-b474-2867f26e464d.filesusr.com/ugd/ace02d_c13fd09053a24f5eb4bc913c19eb0c72.pdf?index=true
    • https://46d16763-6c5f-4e19-aa2c-3f4071fcbec2.filesusr.com/ugd/26f730_2e0fc632064b4efc97ff4eccd17fd7b4.pdf?index=true
    • https://s3.amazonaws.com/zibenoroduzuw/call_of_duty_mobile_game_size.pdf
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_efd7e662134d4a049e83cb1f6cdc7655.pdf?index=true
    • https://3df06c22-1e8a-4082-8cc2-a0fdc0609706.filesusr.com/ugd/d86e81_4347d3d7d2294463a580f85fc6c8b483.pdf?index=true
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_769a6259c6bc4a51bad6746e9a8756e8.pdf?index=true
    • https://34e223d5-b18a-4f89-96b3-7c58aa965d90.filesusr.com/ugd/440e29_5bcaae9b58254d399983b0131fa9c435.pdf?index=true
    • https://2d130471-2a64-48ba-87cf-8f1e86c6acad.filesusr.com/ugd/9c43ec_7f9970e981ff465988b1ffa8443077b6.pdf?index=true
    • http://jabodegodonirad.atwebpages.com/jamigelokubutilewakes.pdf
    • http://rijemow.onlinewebshop.net/wajalulezafakuri.pdf
    • https://s3.amazonaws.com/taturi/kusugudip.pdf
    • https://s3.amazonaws.com/gapivegek/vusozatiroguwek.pdf
    • https://4b5f4e46-8b81-4257-bf39-61fc08ba57b0.filesusr.com/ugd/7ea8bb_0b87595a9f1c4257a87dff52bcf24362.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc60.bin
ab394e521d5cd16f6b115bc88b1dc30ad719739706fdf6c0cde753dadae55431		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC60 4776 bytes
font_01_sfnt_off00010ca5.bin
61d258fdbaba3093a04aa2a1d1eae1f3fc7166ba1472265a78f4b2761fc5e719		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA5 10652 bytes
font_02_sfnt_off000130cf.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130CF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.