Malicious PDF — malware analysis report

Static analysis result for SHA-256 1844c75be4e7f81b…

MALICIOUS

PDF

80.1 KB Created: 2021-03-22 02:56:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21e1f5ef2b23206558835a41e1c11d68 SHA-1: d2d26c42c4c40ee188fedab3b2912ffd1eb2aa81 SHA-256: 1844c75be4e7f81b9fb4010a9b94a80c3abab030ac3604f66e77b1060f501b52
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for phishing or distributing further malware. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of links, and one of the primary URLs, 'https://midufefew.ru/strik?utm_term=brother+tn+630+printer+wifi+setup', suggests a lure related to printer setup. ClamAV detection and ML classification further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=brother+tn+630+printer+wifi+setup
    • https://cdn.sqhk.co/jigixomavola/ogdgc2n/gigegolijorefokol.pdf
    • https://cdn.sqhk.co/samofetob/icihXia/behringer_x32_producer_manuale_italiano.pdf
    • http://dirujadejefogax.iblogger.org/19109870583.pdf
    • https://cdn.sqhk.co/foseziwate/jcieiib/sexezo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nasotigide.rf.gd/gusujorozolegexokik.pdf
    • https://9a60fab3-6fb0-4be7-9305-b2e3cc44d963.filesusr.com/ugd/811c4f_ae1875bedd4a4b3b9d160b6eddcaf0c2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/912d600a-24b6-483d-a4f2-ca95b99be717/throne_of_glass_celaena_and_chaol_fan_art.pdf
    • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_eff6fa26b0804039af61202a96720fc7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a94c9079-0cec-4ded-910e-074d00361285/35042053566.pdf
    • https://uploads.strikinglycdn.com/files/2970effd-1e08-4066-9dc8-e1e46b552ca9/how_much_does_windows_movie_maker_2020_cost.pdf
    • https://uploads.strikinglycdn.com/files/38549a40-d820-4ec7-b52a-b99b27818d98/5th_grade_opinion_writing_prompts_with_reading_passages.pdf
    • https://4cd5eafb-d261-4666-a528-29b55b1676c1.filesusr.com/ugd/8dde66_131e3709a0a64245919c4ea316460a7a.pdf?index=true
    • https://661c91a2-68a2-4ae3-aaac-ef96b6cc7894.filesusr.com/ugd/b926a8_a8cc3614bce849d8848566c5d9d6ee06.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7d24ebd6-5e49-4b73-a756-3c6652f233f9/construction_project_management_software_free_download.pdf
    • https://uploads.strikinglycdn.com/files/971cb80e-08b8-4f11-a4f8-cb2479efad23/football_rpo_playbook.pdf
    • https://5ce19dfa-329f-495d-88d1-e1e7834d9072.filesusr.com/ugd/d902bb_1beda3f4681a4ec29ec80dd6b89556be.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d7b01cb7-4f69-45cc-a498-a39573aa496d/xegutoditajuzosivoma.pdf
    • https://8ed62699-7d02-4439-b935-4286882ef7d4.filesusr.com/ugd/229b11_136e0d542c2b4b5cb32f8e402b1dc01c.pdf?index=true
    • http://zunebafovako.epizy.com/sheet_metal_gauge_thickness_in_mm.pdf
    • https://uploads.strikinglycdn.com/files/2fe5eb62-47b1-40c8-b220-bd97e10a41c1/northouse_leadership_book.pdf
    • https://uploads.strikinglycdn.com/files/74b439a1-efe2-472c-b1fb-bea88812bb06/fugovejaw.pdf
    • http://zerufemebokuv.rf.gd/pathfinder_chosen_one_guide.pdf
    • https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_9542efed08004838921b591d3daf4486.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9a7.bin
97a58dcd28ba3d6f21a83e88c92a158bb7490ed3a2d3aa142bca00a6d460677f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9A7 5348 bytes
font_01_sfnt_off00010bed.bin
0510e2cfc0e6d60b545fdc922af44bcfa2b78e331b44ec408a2609a950a853da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BED 11520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.