Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ca4d68a826dee3a…

MALICIOUS

PDF

77.1 KB Created: 2021-03-23 07:14:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f7c03a0f76e0e5a9b5059ebbb693d88 SHA-1: b6e459ab973a1190f3cbef31a9ae5c15689e6fe5 SHA-256: 0ca4d68a826dee3aab1bf8e09752aef5fc502bc3685a7c3c9f07b79d5a4f57fb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, but one URL, 'https://dafemum.ru/123?utm_term=chefman+air+fryer+cooking+guide', is flagged as unknown. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution by directing users to suspicious external resources. No scripts were extracted, but the PDF structure itself is used to host a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=chefman+air+fryer+cooking+guide
    • https://cdn.sqhk.co/xakutofi/a4jfPNE/gatagerosakixosiwa.pdf
    • https://cdn.sqhk.co/rovujesox/ZEeV6ha/jacarepagua_weather_report.pdf
    • https://cdn.sqhk.co/jorevagu/vhhgd9S/mavukejasesopowesuz.pdf
    • https://cdn.sqhk.co/xugufufifo/hckBxgi/55983496279.pdf
    • https://cdn.sqhk.co/wamefuvew/iB62WLE/52806614004.pdf
    • https://cdn.sqhk.co/zoribakim/dhc8ied/95192138983.pdf
    • https://cdn.sqhk.co/lowanivari/2HMFlih/jk_flip_flop_datasheet_7476.pdf
    • https://cdn.sqhk.co/noneniwetav/ieyjiXk/96432591645.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_0aa78c9294a542d4bce0f3f02b8c3f69.pdf?index=true
    • https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_642808d4b8f44ba1b1219abebe63a0f4.pdf?index=true
    • http://resizov.rf.gd/topographic_anatomy_atlas.pdf
    • https://ae26bae5-b1f3-4fb2-a0ba-5d2f2d23988c.filesusr.com/ugd/aec2ea_aceb17343fc54ce8a6a862cfe213d60b.pdf?index=true
    • https://s3.amazonaws.com/wamatasamegu/30633628358.pdf
    • https://s3.amazonaws.com/muvarelo/dutabunuko.pdf
    • https://69cf8a46-0d3d-4b71-8fd1-93df925da18e.filesusr.com/ugd/e4064d_e7b1cd391a644979bf471a87ea97bdb7.pdf?index=true
    • https://6376acfe-5884-4251-b3d5-19a03c044549.filesusr.com/ugd/de3d83_70faac6adb9f4c5ea36e131e8765f2ae.pdf?index=true
    • https://s3.amazonaws.com/bejexe/22197064163.pdf
    • http://pususarejopo.epizy.com/techsmith_made_with_camtasia_free_trial.pdf
    • https://s3.amazonaws.com/juliziwojatige/grand_princess_deck_plans_printable.pdf
    • https://0b21792c-a699-4cf4-8833-5910c6ad58af.filesusr.com/ugd/b0b521_8e3c685649d84e2fa529b6983ecdff80.pdf?index=true
    • http://dafawesag.epizy.com/four_seasons_brand_standards.pdf
    • https://d73c234d-0e3d-497d-8108-d5659bace061.filesusr.com/ugd/58a813_c9c2c518273247698af9fe56844bf5a9.pdf?index=true
    • http://girugivujomoxet.epizy.com/gotibenu.pdf
    • https://s3.amazonaws.com/sagotomagin/2012_jeep_grand_cherokee_common_problems.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edf5.bin
e29d381f7c488ffc2c7dac8cc82664fec2681f3ba1396207da30ac213498afce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDF5 5296 bytes
font_01_sfnt_off0000ffd1.bin
d6de8b6ec6638da683663271f8f47bc6d9875dafcbc36bd3761bfc2626ecacd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFD1 11508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.