Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c194f93a987de4b…

MALICIOUS

PDF

75.6 KB Created: 2021-06-05 15:48:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 047cfbbff6c87dd65318e9c64771e5c3 SHA-1: e07439847ec21e487345e50d24672b01574a5dd6 SHA-256: 2c194f93a987de4b6cd53b0768dd7b2cf0e3fb141c47cc73b950d147bb73df57
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The presence of a large number of external links, identified as a 'PDF_SEO_LINK_FARM', suggests the document is designed to redirect users to potentially harmful content or to manipulate search engine results. One of the extracted URLs, 'https://dugedepap.ru/123?utm_term=example+of+modified+block+format+letter', is marked as unknown and is a primary IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/123?utm_term=example+of+modified+block+format+letter
    • https://cdn-cms.f-static.net/uploads/4417024/normal_5fdc32cc45fba.pdf
    • https://foduzivanikatik.weebly.com/uploads/1/3/4/4/134492938/fonasikufetu-wafewurogow-robukomuru-tikogigiji.pdf
    • https://cdn-cms.f-static.net/uploads/4411511/normal_5fe6f2061f6b4.pdf
    • https://fifitusaperofij.weebly.com/uploads/1/3/4/6/134605769/cc31dfc7.pdf
    • https://cdn-cms.f-static.net/uploads/4475999/normal_601ce2e5ccad0.pdf
    • https://takibuvekinapix.weebly.com/uploads/1/3/4/4/134456834/somuxozisaxijov.pdf
    • https://static.s123-cdn-static.com/uploads/4470828/normal_60038e8e612ef.pdf
    • https://static.s123-cdn-static.com/uploads/4420250/normal_5fcda8f90a23d.pdf
    • https://cdn-cms.f-static.net/uploads/4470960/normal_60567b69d1f6b.pdf
    • https://juloxiwam.weebly.com/uploads/1/3/5/9/135967800/b10b3cfe.pdf
    • https://static.s123-cdn-static.com/uploads/4410985/normal_5fdfc344947b3.pdf
    • https://dotofufodil.weebly.com/uploads/1/3/5/3/135313806/3760062.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/000f8199-5158-422b-ae54-3da86fddb3c9/pudotulowutofe.pdf
    • https://uploads.strikinglycdn.com/files/760df073-a63a-46a1-b048-ad04d87f3aac/physics_worksheet_momentum_and_impulse_answers.pdf
    • https://uploads.strikinglycdn.com/files/b9c96fd2-20dd-47f7-955c-96c10ccbc5ec/what_is_idt_audio_driver.pdf
    • http://supijexed.pbworks.com/w/file/fetch/144463311/juegos_educativos_para_nios_de_10_a_12_aos_para_imprimir.pdf
    • https://uploads.strikinglycdn.com/files/242f0ec0-201e-4b04-8e21-47b3bab57624/63059078053.pdf
    • https://uploads.strikinglycdn.com/files/8faa8abb-1ba6-4e92-82d8-bceecf2adb3e/can_covid_symptoms_linger_for_weeks.pdf
    • http://detomipipu.pbworks.com/w/file/fetch/144510249/posipexopaji.pdf
    • https://uploads.strikinglycdn.com/files/cb6f6f2b-631a-4187-99b3-fe729ff0e51f/what_does_geoff_tracy_do.pdf
    • https://uploads.strikinglycdn.com/files/3201bd60-f758-40e1-9d24-74eabbac7df9/62186478325.pdf
    • https://uploads.strikinglycdn.com/files/8f489ba0-0c4c-44fa-828a-3518cd77bbe0/19572576502.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb4a.bin
f2701c01e74da08f51f61345ec7a3a1948083722c5304f047224a6b3fff1eb15		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4A 5352 bytes
font_01_sfnt_off0000fd70.bin
4c8b4b9eb43bea5102efeb8bdc54024ebcf4df0272d514758d6c212aa4bdbbcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD70 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.