Malicious PDF — malware analysis report

Static analysis result for SHA-256 0049ca6ad0846a88…

MALICIOUS

PDF

80.7 KB Created: 2021-03-23 17:51:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4310dd36968a707d686cf53f90309e0c SHA-1: bb0bfcfc4278e7c0ec9b03d911c66fa161feb960 SHA-256: 0049ca6ad0846a88b6359d5bf8e5754e4fe1a8d343560962e1bae1371ea2b5e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which point to potentially malicious domains, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate an attempt to direct users to external content, likely for malicious purposes such as credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=sodastream+water+bottle+size
    • http://dobomasinuraz.iblogger.org/block_diagram_simplification_problems.pdf
    • https://wogizirimabote.weebly.com/uploads/1/3/5/3/135337148/monomuxotuk.pdf
    • http://fogebepe.22web.org/adeptus_astartes_codex_8th.pdf
    • http://lapitubemexidi.mywebcommunity.org/22025493121.pdf
    • https://sirowatogiwu.weebly.com/uploads/1/3/2/8/132814809/mulaferotupod_vudukixataka.pdf
    • http://fibutogu.mywebcommunity.org/86266748314.pdf
    • http://rikopevadibix.iblogger.org/lirafunuwawo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/896c4b03-c5fc-45d5-96b3-32831100edd9/remote_control_app_for_non_smart_tv_iphone.pdf
    • https://fed4949e-3809-4fc0-a28b-84c5d390f589.filesusr.com/ugd/94482e_3fd2c0f276bc44378418a8755af5f4ba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/745aa38d-7480-4bc4-9eda-e8cb3b8b8111/troybilt_pony_tiller_engine.pdf
    • https://48bf584d-d56c-45cf-b4f3-c1c05dce5274.filesusr.com/ugd/3f4b99_39fcf4534a2948d19fa7326544df867c.pdf?index=true
    • http://luxizetugo.epizy.com/49673361187.pdf
    • https://uploads.strikinglycdn.com/files/c8c18eff-3353-45a5-9ace-81275be3ab43/cuentos_del_diario_de_greg_para_leer.pdf
    • https://uploads.strikinglycdn.com/files/65aca5c7-11ff-4dda-9260-0b4608d459a3/55758701456.pdf
    • http://wazipegemezen.atwebpages.com/84617487666.pdf
    • https://91953a53-6f32-4f2a-9b2e-0f954541ff31.filesusr.com/ugd/dad90e_ac75c9e657d6479cacec532181e06e5e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/902f17b2-fa49-407f-a005-dc47eca260a5/2012_ap_lang_rhetorical_analysis_sample.pdf
    • https://3b044092-e341-4c69-a8e2-52b14fc1865f.filesusr.com/ugd/370021_7ba4189635624e74ad92163f5ae93e25.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bb652fd7-40d4-4d3e-98f6-8414b5a6d53f/biddeford_heated_blanket_auto_off.pdf
    • https://uploads.strikinglycdn.com/files/5fa23108-df17-4d61-ba76-80f595b924c0/castle_of_otranto_summary_and_analysis.pdf
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_c457a75c304946dfb6fd22a901e8bf5b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7b8c4096-43bc-450c-9b50-440f911882ab/on_combat_dave_grossman.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd7a.bin
7536452f182f6f4ba646f5a2eee100fd32564ca5127ca1b2714845afd50a6f18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD7A 5356 bytes
font_01_sfnt_off00010faa.bin
e116ec4b2e3cfd0ea26bd52a64d591fa8cbc8fdfc5d37a4e0643ca37dcfa2912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FAA 11044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.