Malicious PDF — malware analysis report

Static analysis result for SHA-256 173f6f58bcd59afc…

MALICIOUS

PDF

103.5 KB Created: 2021-06-09 11:00:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 534a447a0284f177946260acf96cf002 SHA-1: d6f607b2a1fc5c5e8d9289382c7890c5b62e0dc3 SHA-256: 173f6f58bcd59afcfe63f3c73a52cdec132464a454526cea6e9ebb8ccff859ce
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent link pointing to 'catamma.ru' which is associated with a lure for 'world of warships blitz mod apk android 1'. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, suggesting a link farm or phishing operation. ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. No scripts were extracted, but the embedded URLs and link farm heuristic strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/pbw?utm_term=world+of+warships+blitz+mod+apk+android+1
    • https://pusiravuzefabi.weebly.com/uploads/1/3/4/4/134483733/a7c29.pdf
    • https://gazoxawirola.weebly.com/uploads/1/3/4/5/134588870/2112603.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e80856e9-2556-4136-9c55-91cda12e02ba/how_to_convert_jpg_file_to_in_pc.pdf
    • https://uploads.strikinglycdn.com/files/ac25872f-019b-47f7-b7bc-4d82c7521d37/is_the_witcher_2_story_good.pdf
    • https://uploads.strikinglycdn.com/files/efefeedd-af85-4a27-a4c4-87de68065ca3/83062663097.pdf
    • https://uploads.strikinglycdn.com/files/1c35d044-7938-4bb3-93d0-83f04cfbaa84/xatevexegakodolaw.pdf
    • https://uploads.strikinglycdn.com/files/7b8a3ab0-7665-4a20-80bc-ab837c4003e4/eleanor_and_park_book_synopsis.pdf
    • https://uploads.strikinglycdn.com/files/3f1e45ac-bf60-41a6-9fdc-282c470bc08f/30098777889.pdf
    • https://uploads.strikinglycdn.com/files/445793f2-77a0-4cb1-82fa-dc98789097dd/8945931504.pdf
    • http://kefimazusob.pbworks.com/f/rojadadasumid.pdf
    • https://uploads.strikinglycdn.com/files/51fe7239-0715-4ac2-aebf-378708e65ef4/dabas.pdf
    • http://tujelupirobe.pbworks.com/f/conditional_statements_converse_inverse_and_contrapositive_examples.pdf
    • https://uploads.strikinglycdn.com/files/1e896d72-cffb-4a01-a3c2-11e2dcf54384/19321171902.pdf
    • https://uploads.strikinglycdn.com/files/c7590b7c-83ac-4d44-a7a7-6875b05f4daa/how_to_write_a_case_study_on_a_serial_killer.pdf
    • https://uploads.strikinglycdn.com/files/4cdb8a57-a194-4410-aefd-6c902c6d31ba/free_vc_nba_2k21_mobile.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001420a.bin
52720e92a8fb110dbe971cd039a6aef7ca9d1f3ec93ecf9a033c7080cc8aa171		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1420A 5692 bytes
font_01_sfnt_off0001555a.bin
377ba3703f0f79bdb7b7f56c84f021ce2deee2129102e4baf7e8db2449df32b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1555A 11532 bytes
font_02_sfnt_off00017b6e.bin
bb0deebe8430627f513f611319b374358b3643ded9e1ea349ee522b0f2000a0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17B6E 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.