Malicious PDF — malware analysis report

Static analysis result for SHA-256 043999b6e35939a1…

MALICIOUS

PDF

80.7 KB Created: 2021-03-22 09:09:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e00add36c20f35e7673343a8be29419 SHA-1: 72e96aa58b7a82ac40913e29bdac9bd52b1fb1f8 SHA-256: 043999b6e35939a1e537ca797018fc2737f6f147e1f65749a272c9de29c1942e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious sites. One of the embedded URLs, 'https://dafemum.ru/123?utm_term=bulk++skillshare+videos', appears to be part of this link farm. While no scripts were directly extracted, the PDF structure and the presence of external links suggest it may be used to deliver a second-stage payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=bulk++skillshare+videos
    • http://siwupezomejen.getenjoyment.net/zenazizebefumat.pdf
    • https://cdn.sqhk.co/wejawujagi/b2AcyPZ/40424447487.pdf
    • https://cdn.sqhk.co/jepivitixiwo/jgfgElx/russia_liga_pro_ice_hockey_2020.pdf
    • https://cdn.sqhk.co/miraroki/f6wHhhf/68627604046.pdf
    • https://joninotabuxid.weebly.com/uploads/1/3/5/3/135387421/momatodeb.pdf
    • https://cdn.sqhk.co/jirudumom/hcd4jcB/transformers_robots_in_disguise_season_4_episode_14.pdf
    • https://novufetus.weebly.com/uploads/1/3/4/1/134131343/vexefagonidivo.pdf
    • https://cdn.sqhk.co/sikereri/geggidL/64140635367.pdf
    • https://somirurawepaf.weebly.com/uploads/1/3/1/3/131381963/5254266.pdf
    • http://vawitamabizegef.22web.org/40671216147.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://defozuwonig.rf.gd/aitken_spence_plc_annual_report_2019.pdf
    • https://uploads.strikinglycdn.com/files/e743cb6c-70d0-41b3-880b-06331b067657/who_owns_traeger_pellet_grills.pdf
    • https://uploads.strikinglycdn.com/files/a926b599-f8a5-4c92-906c-1bf0cfa24f56/jajetoziliri.pdf
    • https://d0bf7e8b-5449-41c0-93e9-161603c0719f.filesusr.com/ugd/197ed4_e3ccba06b27743d1ab2f7deb538a2207.pdf?index=true
    • http://ruvemad.myartsonline.com/25452783652.pdf
    • http://senovavokugured.rf.gd/dagix.pdf
    • http://juborekif.atwebpages.com/14625238477.pdf
    • http://xurosuforudev.atwebpages.com/xukudatovetutarevebuxe.pdf
    • http://tikijot.epizy.com/6030278522.pdf
    • https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_55bbd7b97a8e42a5a31e48a58f4552dd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/136d60d9-d360-444c-a29f-7ac649889bec/55458194208.pdf
    • http://jowokepo.atwebpages.com/18346226951.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f02a.bin
d9486e0e2cc32409bdd9b970a71d258acbf4f887996cd1477f8b26b97889d7ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF02A 4780 bytes
font_01_sfnt_off00010077.bin
3d46e8d287bfa532fb67c86e2b15c4b5005cafea21e04b83181bfb07c4bd1676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10077 11016 bytes
font_02_sfnt_off000125f8.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125F8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.