PDF malware analysis — malicious · 0af400604e7d0200

MALICIOUS

PDF

83.4 KB Created: 2021-03-18 13:07:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: cb1fd6a38934671b250d146b597eef61 SHA-1: a21daf3e0216134e55fd3acdf009b4ae935efcce SHA-256: 0af400604e7d020030618a6780d28d038267df8ec22d7fc993cd962f3ef8e4bf

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with the primary URL being dafemum.ru. This heuristic, combined with ClamAV detection and ML classification, strongly suggests a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains references to 'sarcasm memes apk' and the wkhtmltopdf tool, indicating a potential lure for users seeking specific content, which is then redirected to malicious URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.9974

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dafemum.ru/123?utm_term=sarcasm+memes+apk
- https://cdn.sqhk.co/zutigaku/jdZSSgd/flat_wedding_shoes_designer.pdf
- http://copyrightsupport-ig.com/52474848776tkd83.pdf
- http://future-techno.ru/rafesedalaywhjb.pdf
- http://jilet1.club/supraventricular_tachycardia_guidelines_ahaze8e3.pdf
- https://cdn.sqhk.co/lunabati/JgekDjf/cross_stitching_vs_embroidery.pdf
- http://vinnipoh.fun/575394258747yb84.pdf
- http://tomogorman.com/net_technical_lead_interview_questions_and_answers4p12h.pdf
- https://cdn.sqhk.co/jabisopomuxo/JEhd7gh/hitman_reborn_episodes_watch_online.pdf
- http://chatik85939775.fun/contrato_de_arrendamiento_casa_habitacion_sencillo_mexicoyisjf.pdf
- http://axecheat7.xyz/pajutepa27e6d.pdf
- http://avit0.pro/mutizubugilarayknp.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fedorahosted.org/lohit
- https://a52dd608-e7dd-4d50-8005-e0fd7a3896b4.filesusr.com/ugd/43d2fc_352234a8dc1a47eda16d3cbd53a2d127.pdf?index=true
- https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_6f87b6c272054eff82a324d15fcf64f3.pdf?index=true
- https://0f0532cb-4478-41f9-91a1-cf277c4732ec.filesusr.com/ugd/8acad3_f2e5571792594c8580fa50c6d3835093.pdf?index=true
- https://96a9e3af-f0c3-4048-9e6c-0ad8da3c6018.filesusr.com/ugd/15d534_be72d4a06c694239b1fb6e96c6424999.pdf?index=true
- https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_46157d78ae5447eaafce0c9c7af6c930.pdf?index=true
- https://bc5ba30c-e427-49eb-abc4-9677f18f04c1.filesusr.com/ugd/bcd086_3475cd0d3bfa4174b3536589c37df1d1.pdf?index=true
- https://307a23dc-bb60-4906-9a68-69e45957aa19.filesusr.com/ugd/d2057d_43c3bf83f06c4e7380e327f143a07485.pdf?index=true
- https://737bf953-b780-43bc-8af0-312ed5328a40.filesusr.com/ugd/017c44_4e06442f26604e92bba5750294487096.pdf?index=true
- https://5be7aec3-7d66-433b-ae1d-2bfb807ddf2a.filesusr.com/ugd/24deb6_73e57602f94248f2b10012b9c2e81694.pdf?index=true
- https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_0cb35258b6ed4a45943ca22d6d76d68c.pdf?index=true
- https://528f6e5c-6927-42ef-b7a5-a8f9c349750c.filesusr.com/ugd/07b979_e7c26c4179b54a049d56e7b1333ae515.pdf?index=true
- https://7d6e376e-1ee3-4df5-88c1-8d1511d419f8.filesusr.com/ugd/7dd30d_e1ef2c2d7cf64df6904ce32402819791.pdf?index=true
- https://aa4a64a1-c69a-4176-9ab9-82648dcabbba.filesusr.com/ugd/70701b_ec5bc15aa0ba40859043897523ec4e30.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d0d7.bin` `4c7581cf3a94eb4f5f85adfc0b7746487333581cfbc7cbcd8cb4a7f3e5a926a7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD0D7	5212 bytes
`font_01_sfnt_off0000e276.bin` `c0fdb233a1506ff9723b500c4d56c58344ca38c1197d4bb57069c8a3b4085970`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE276	4084 bytes
`font_02_sfnt_off0000f139.bin` `d71ffc8f9c6b8c804972707a4eab36493dfc08da89e55d7bf782f9f4adaec736`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF139	4020 bytes
`font_03_sfnt_off00010038.bin` `18a5d03948bbf1f3eb6fedefb0e275227da40ffd56a803c607dd5251b12bd81e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10038	10656 bytes
`font_04_sfnt_off000124ee.bin` `52fae28bbd548b933ac26c3b5cf33273ed52bc4b0e20096a34ec3e2cac17ca7e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x124EE	17624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.