Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d32f8720822eff7…

MALICIOUS

PDF

122.3 KB Created: 2021-05-28 14:21:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b05f6c1463c8c83804c89ef689c0452f SHA-1: 71929cecca5c64fb4f496dd8a31934b4a4204d26 SHA-256: 0d32f8720822eff77b611d1b2f8141fa04a60f868158531b28c87c1ecf0c6bda
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO manipulation tactic. One prominent URL, fokemale.ru, is likely used to direct users to a malicious site. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wb?keyword=what%20did%20charles%20darwin%20discover%20in%20brazil%20how%20did%20he%20view%20species%20at%20that%20time
    • https://static.s123-cdn-static.com/uploads/4380540/normal_60097f6de7f05.pdf
    • https://static.s123-cdn-static.com/uploads/4410730/normal_5ffde2db41e53.pdf
    • https://cdn-cms.f-static.net/uploads/4455178/normal_603e7180a93db.pdf
    • https://cdn-cms.f-static.net/uploads/4426263/normal_604f15975b523.pdf
    • https://cdn-cms.f-static.net/uploads/4417818/normal_604989bf8e5de.pdf
    • https://static.s123-cdn-static.com/uploads/4404122/normal_5ffccb8494c56.pdf
    • https://cdn-cms.f-static.net/uploads/4467325/normal_6014ddd62f4e6.pdf
    • https://getawupib.weebly.com/uploads/1/3/1/8/131856556/8125063.pdf
    • https://cdn-cms.f-static.net/uploads/4480756/normal_6044e05c57f5a.pdf
    • https://cdn-cms.f-static.net/uploads/4368953/normal_600daef1d98ac.pdf
    • https://tibikinadip.weebly.com/uploads/1/3/1/8/131856726/fedudowikemofi.pdf
    • https://wejafivikime.weebly.com/uploads/1/3/0/9/130969279/dipax-tabed-borid.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/39467998-9453-4b3c-9665-220aa1909980/ximokenobubalivixu.pdf
    • https://uploads.strikinglycdn.com/files/cba3ca5c-9ef7-437b-bb3c-2b55d584bb85/47002497990.pdf
    • https://uploads.strikinglycdn.com/files/b04ddb64-2e78-4a81-9b4d-376a14416317/9119224436.pdf
    • https://uploads.strikinglycdn.com/files/084db1c5-d239-4785-9815-0b8cedcccc7e/nupavamurewalewezekagudum.pdf
    • https://uploads.strikinglycdn.com/files/64f9ef1e-935d-4ca5-b023-439063ce91d4/97940394221.pdf
    • https://uploads.strikinglycdn.com/files/0c69c10d-3d41-4a9d-9bb1-2870b18ca306/our_lady_of_the_lake_hospital_walker_la.pdf
    • https://uploads.strikinglycdn.com/files/9730e20a-698b-455c-b723-9a042b54fedf/what_medical_advancements_were_made_during_the_scientific_revolution.pdf
    • https://uploads.strikinglycdn.com/files/d4057200-d1da-4e8c-bbb5-1e6caad330f6/iso_iec_31010_espaol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019494.bin
e34076528389a798d22029c6513d1e5c9579646ca4fef4e180845e9bd203716e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19494 5456 bytes
font_01_sfnt_off0001a707.bin
c8452ca54eceac2d80b745c25fe6b5b1a5714c0f89207a8f4c435d424fa97319		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A707 11464 bytes
font_02_sfnt_off0001ccbc.bin
781b9fae2fb9201b4a05d2041fea553bb2973f1d011ab9c51e3326c72e342c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CCBC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.