Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c8deee72ab7c967…

MALICIOUS

PDF

72.6 KB Created: 2021-06-08 17:58:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b985a35d44e06fbb74e9f1bc8a5eabb2 SHA-1: b7e0f56f9083e95a5b0c1e3bd6f327db1d7019d1 SHA-256: 0c8deee72ab7c9679dc8d8614b7469d5ab497bfc7c1adc32527d4250921ae284
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on disposable domains, suggesting a link farm or SEO poisoning attempt. One prominent URL, 'https://chcial.ru/pbw?utm_term=autobahn+police+simulator+2+mod+apk', appears to be a lure for potentially unwanted software or phishing. ClamAV detection and ML classification strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=autobahn+police+simulator+2+mod+apk
    • https://kadenuwu.weebly.com/uploads/1/3/4/6/134674874/kojul-jamimerajakex-lobejedeti.pdf
    • https://noragunefide.weebly.com/uploads/1/3/1/6/131637841/1f351.pdf
    • https://mosodufenu.weebly.com/uploads/1/3/4/8/134889918/5dfbd.pdf
    • https://temuruxaxinisuw.weebly.com/uploads/1/3/4/7/134715551/939b6f35ea11f.pdf
    • https://zenisitidijo.weebly.com/uploads/1/3/4/3/134309999/timul_lilemekufazula_wadakasali_rosazeza.pdf
    • https://cdn-cms.f-static.net/uploads/4409421/normal_5fd6d2541d979.pdf
    • https://cdn-cms.f-static.net/uploads/4404740/normal_5fd368ca11e0d.pdf
    • https://cdn-cms.f-static.net/uploads/4379718/normal_60270778557c5.pdf
    • https://gurigibafex.weebly.com/uploads/1/3/0/7/130739571/7733590.pdf
    • https://wapoduleg.weebly.com/uploads/1/3/4/8/134882123/5963373.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/890e5463-1a8a-4660-bc70-7833e4f51382/74348769674.pdf
    • https://uploads.strikinglycdn.com/files/dbbacb19-a56c-4ab6-9709-6b98ef2b54cd/passport_9500ix_radar_detector_reviews.pdf
    • https://uploads.strikinglycdn.com/files/b6de5e14-7f0f-406f-b0fb-b2342ab78093/what_is_the_orientation_of_a_shape.pdf
    • https://uploads.strikinglycdn.com/files/d550e247-bc37-4f95-91b2-b4010bb0bb7a/can_i_import_a_journal_entry_into_quickbooks.pdf
    • https://uploads.strikinglycdn.com/files/8ea36333-8131-43bb-b90b-77a94a5fe54c/autocad_mep_2019_manual.pdf
    • https://uploads.strikinglycdn.com/files/1363c182-7bfb-4661-881c-87a2d042af36/queen_of_shadows_book.pdf
    • https://uploads.strikinglycdn.com/files/b4318440-8efc-4abe-80da-24b9819d6089/71437352580.pdf
    • https://uploads.strikinglycdn.com/files/6550a6e1-f047-48c6-abcf-78ae5517b482/why_wont_my_dirt_bike_shift_gears.pdf
    • https://uploads.strikinglycdn.com/files/4d2ce829-9d44-4281-8f6a-471fd5462b46/8th_grade_math_practice_printable_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/87477a45-0e46-4443-86b7-4245335c4e4b/jetudasujakafuwonilos.pdf
    • https://uploads.strikinglycdn.com/files/b77a35d6-8e69-4dda-90de-396914120e54/online_excel_spreadsheet_course.pdf
    • https://uploads.strikinglycdn.com/files/6451a44d-b2ab-4f8a-930d-f5cb160e81d2/65893055242.pdf
    • https://uploads.strikinglycdn.com/files/e354f3c2-b4e5-47e4-87a9-f30abe916236/what_is_yes_in_french.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd69.bin
36e5350f3a57d28bf3833d61877ead978ec35f0f39d18e45772324ee3ca4d1bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD69 5640 bytes
font_01_sfnt_off0000f062.bin
989d1eee17350884696ee6c5f28505ebdba3b405ab7e8bb169ee53b1336f1202		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF062 10712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.