Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe63749bd6aa4568…

MALICIOUS

PDF

85.5 KB Created: 2021-03-19 11:52:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96586846ffbb5e3603f5d8f389cb4122 SHA-1: bc07897ee15bd62001dfef563601dc091feee614 SHA-256: fe63749bd6aa456872e6dd2b41c9a90433989ceab1a122313b9feeba6ad86005
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple external links, with one heuristic specifically identifying a 'Payment redirection / bank-detail change lure'. The presence of numerous URLs, including one pointing to 'mezovuduw.ru', suggests an attempt to redirect users to malicious websites. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing or credential-stealing document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=what+is+form+it-201-v
    • https://nusuvonofa.weebly.com/uploads/1/3/1/8/131872273/jazomada_kiviketed.pdf
    • https://tisivuvuzudopur.weebly.com/uploads/1/3/0/7/130738638/kasewonipu_tujomomabugetot_wumoxekedaf.pdf
    • https://cdn.sqhk.co/vibebexez/higf5id/animal_hospital_cantiague_rock_road.pdf
    • http://mitimewigupito.mypressonline.com/bixaverixo.pdf
    • http://derewopenila.22web.org/vuroborasolituju.pdf
    • https://cdn.sqhk.co/wazafepel/Jtthdep/93175782250.pdf
    • https://dujibirarikow.weebly.com/uploads/1/3/4/3/134321406/doxilozopebex-dinen-xixasasa-jesomitet.pdf
    • http://lefibipefazefep.mypressonline.com/bridesmaid_proposal_card.pdf
    • https://kijaxupujik.weebly.com/uploads/1/3/2/6/132695195/wojakonosapegibibo.pdf
    • https://cdn.sqhk.co/zoraxiraga/hefUo6E/8682278473.pdf
    • https://dumisoxi.weebly.com/uploads/1/3/4/6/134625223/naxox.pdf
    • http://juraxoxodas.scienceontheweb.net/download_bacaan_yasin_dan_tahlil_latin.pdf
    • https://cdn.sqhk.co/fogobewataja/ibgijig/24416196208.pdf
    • http://setifol.66ghz.com/adsl_splitter_circuit_diagram.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b2d1eea7-aef5-47fc-962c-88b5513ecafc.filesusr.com/ugd/3a57bc_b31a388d6683422498566bfc8efbdfd3.pdf?index=true
    • https://b133b025-67d1-4190-9e53-fbb99503dec2.filesusr.com/ugd/caf13f_94af3d0ec4dd4cb8b6150e7963c3534a.pdf?index=true
    • http://zejibanunepi.myartsonline.com/8114476660.pdf
    • https://5862e4ea-63a6-4c92-af93-e06d02d1a664.filesusr.com/ugd/eaa371_3ae2dead4dc24ce7a97521cb073d2859.pdf?index=true
    • http://wuwedutukuw.epizy.com/divisibility_worksheet_for_grade_5.pdf
    • http://dexadusoxeb.atwebpages.com/libro_ingenieria_automatizacion_industrial.pdf
    • https://1527c8d3-3321-4e9f-872f-e2bebb57bac2.filesusr.com/ugd/bf2d42_c49c6d0fad7c44079a18f112bbba3739.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000febb.bin
a2fc282748effbdc5dad957157eaf02f3444d4cda99df6a7b8b788a7a497d68d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEBB 1880 bytes
font_01_sfnt_off000107b5.bin
e177b4de81ea55e4ab92feb504d47ad8b797499bf710d92cee5127f03f0b1d4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107B5 5404 bytes
font_02_sfnt_off00011a09.bin
91b67746ad88d50668d6ad44803244d9824edc2d9f8f07d4bc8e33340f78646a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A09 2112 bytes
font_03_sfnt_off00012345.bin
c9bbaba5d28f0f3a8e2b104032238fe841a6db4291b207a1ad959c349f2daca2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12345 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.