Malicious PDF — malware analysis report

Static analysis result for SHA-256 24f5db6bfbe2febc…

MALICIOUS

PDF

76.8 KB Created: 2021-03-23 05:59:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d580fc3a7f535ae7950479929c809f4b SHA-1: 22b2abaad00edf5b0147d975dd324c049e4b7468 SHA-256: 24f5db6bfbe2febc082b1c4bd7d84bc16b464ec2437e9872679f1856a4c0d262
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, suggesting it is part of a link farm or SEO spam campaign. The embedded content, though heavily obfuscated, likely serves to disguise the malicious nature of the links and potentially download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=lg+ice+maker+manual
    • https://static.s123-cdn-static.com/uploads/4388050/normal_5ffca6823b9d3.pdf
    • https://cdn-cms.f-static.net/uploads/4477658/normal_602ef80f87e2b.pdf
    • https://cdn-cms.f-static.net/uploads/4447878/normal_602bf91741f66.pdf
    • https://static.s123-cdn-static.com/uploads/4503524/normal_5ff630772e234.pdf
    • https://cdn-cms.f-static.net/uploads/4379474/normal_601d59f2a526f.pdf
    • https://static.s123-cdn-static.com/uploads/4375690/normal_5feccc913046e.pdf
    • https://cdn-cms.f-static.net/uploads/4490961/normal_6009dadf26af8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/33c82f99-8586-4fd4-b313-a8bcb103a32e/70551044321.pdf
    • https://uploads.strikinglycdn.com/files/fed04327-8eb5-4314-9878-7db45218783e/zoled.pdf
    • https://45f61934-b4a1-4335-a9e3-e142d9465b5b.filesusr.com/ugd/0dd040_4ab0e6b00b064b0d9e8f91896865e938.pdf?index=true
    • https://08b4a39d-fa16-4eaa-91be-ae90003cacb9.filesusr.com/ugd/237bf7_efaea42433a74660a504b3c2440f4bd8.pdf?index=true
    • https://e8f98835-b194-42a5-b43f-fe2f29920dd6.filesusr.com/ugd/bf650e_934bc58cc9e24c4fac8d3108289ec40f.pdf?index=true
    • https://edb7bb8d-792a-4213-93ec-7f573d37cc74.filesusr.com/ugd/bfd504_e2aa39d22e0f4e8f846f158db71e552b.pdf?index=true
    • https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_19d55ce49bf14f158b6b8d54cecc6786.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ad28ce0a-9f37-4d80-9342-856365e1177a/lord_of_the_rings_hobbit_character_names.pdf
    • https://f730d15c-1921-46d2-b6d4-288333e40990.filesusr.com/ugd/e2c223_ecb9ddee71cb4ba0b4f6c7cc57a1122a.pdf?index=true
    • https://94db4134-5784-44c5-a63d-963e509970fa.filesusr.com/ugd/9c58c5_f48e4069a1174635a9b5ec05845e0cd5.pdf?index=true
    • https://2172aa7b-56d6-4bcb-a12f-aafeda7c7725.filesusr.com/ugd/0d9129_593c900e0e1445c4862d8cd2b1a1a64f.pdf?index=true
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_1a1745a787094e8080b0d3b043358b59.pdf?index=true
    • https://cc0b58a5-7bf4-4b41-9cd7-d9bc0cd2cc6f.filesusr.com/ugd/6dc98b_0e4e5d8ce22147ada8fc8deec52ca53c.pdf?index=true
    • https://27420876-d215-4860-9a72-f48db0d0c320.filesusr.com/ugd/4062c2_9872bd0ada0f4a3c85474cff7c204496.pdf?index=true
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_1f73a64e251e47cc839eb573b3052a30.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7f913ac6-06ab-455a-b742-405297632fc6/are_pressure_washer_pumps_universal.pdf
    • https://c83cbd6e-a134-4b49-ba12-49f24c654ad9.filesusr.com/ugd/904a8b_f4b825bb07f441d5af1dbc3424afe8ad.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efc6.bin
06080f58532a62519feda15a7fe8d5eb77695e24b7949b9f3b4571334e09c0f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFC6 4944 bytes
font_01_sfnt_off0001008c.bin
f1d9480f6d83a4db9370267e88f2af76f265e7a4b7d86cc60202935cbf377816		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1008C 10940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.