Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c93631e0af21131…

MALICIOUS

PDF

81.1 KB Created: 2021-03-20 00:40:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 413b949d5b70643e6bc7c4c18901ac26 SHA-1: d927ad52a05bc25c1c20387148e0380c5e4743c4 SHA-256: 2c93631e0af21131219f060f4f9790d26fac0cda78bbebe1963da430aee34b5d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The PDF contains an embedded URI pointing to 'midufefew.ru', which is likely a phishing or malware distribution domain. The PDF also contains a large number of external links, suggesting a link farm or redirection mechanism to further obfuscate the malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9958

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=aprimoramento+gen%25C3%25A9tico+pdf
    • https://cdn.sqhk.co/pawosuku/Phjmbjh/62429993372.pdf
    • https://cdn-cms.f-static.net/uploads/4425738/normal_5fe6098aee88f.pdf
    • https://cdn.sqhk.co/pugirunosamo/hicEjQc/write_down_notes_online.pdf
    • https://cdn.sqhk.co/zedozomi/3yjhif2/jumia_black_friday_today.pdf
    • https://cdn.sqhk.co/zowuvutevak/zVFhiji/add_subtitles_to_video_permanently_android.pdf
    • https://static.s123-cdn-static.com/uploads/4449602/normal_5fecc449c7bb3.pdf
    • https://cdn.sqhk.co/saboxiwago/n9zjjhi/20273552467.pdf
    • https://cdn.sqhk.co/nudogada/V1haZij/zonejumuxepubepe.pdf
    • https://cdn.sqhk.co/fujotojaxob/xbhj0Ok/royal_fairy_tale_princess_makeup_game_free.pdf
    • https://cdn.sqhk.co/desixurate/fjageiy/acceptable_identification_goods_services_manual.pdf
    • https://cdn.sqhk.co/wutalididow/aRBjj40/fimetixevarowumesukoluxu.pdf
    • https://cdn-cms.f-static.net/uploads/4474223/normal_60490725d9816.pdf
    • https://cdn.sqhk.co/tifobebe/1ihjaid/robots_vs_zombies_attack_unlimited_money.pdf
    • https://static.s123-cdn-static.com/uploads/4467300/normal_5ff931b0492f0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_8bbe67403f2d464c9100cdf695d20cd0.pdf?index=true
    • https://650c977b-0274-48a2-8498-43c0efc39f4e.filesusr.com/ugd/dbad32_8317fbe2eb22497d9aab1e59d3991ecd.pdf?index=true
    • https://s3.amazonaws.com/benuka/pasijejikenapureluxoteno.pdf
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_2411175c38af4f00b9e55e7e907d2165.pdf?index=true
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_c894500d280c4605bb56d2e0a0a67d6b.pdf?index=true
    • https://551f0ad2-75d1-4009-b90b-2f3e3e20230b.filesusr.com/ugd/c2bf0a_3e60185b4ad24667b2e3fdea94ec1e8c.pdf?index=true
    • https://700ceb37-22d2-47c5-9888-d858af679aee.filesusr.com/ugd/c345b0_a1d6af6f4ea849fdbc4974401ce625ab.pdf?index=true
    • https://59e5a08b-0d8d-455f-a3a7-35a3b781ab3e.filesusr.com/ugd/784815_f1d8b7b68b254047991f155efa68b818.pdf?index=true
    • https://fed4949e-3809-4fc0-a28b-84c5d390f589.filesusr.com/ugd/94482e_06719173622e4f9fa51402ebce324a51.pdf?index=true
    • https://s3.amazonaws.com/nelizenejakarug/20147030099.pdf
    • https://3b9c8e93-52ab-41e8-96f8-e5fc639bf6fa.filesusr.com/ugd/fe3ccd_d917eb83576245f2b225a26c03e67592.pdf?index=true
    • https://s3.amazonaws.com/xukirizugukugi/how_long_do_ryobi_40v_batteries_last.pdf
    • https://s3.amazonaws.com/fidobakipivogit/saitek_x52_pro_setup.pdf
    • https://s3.amazonaws.com/sixenogafopoj/what_is_the_summary_of_the_new_testament.pdf
    • https://dfabac9c-3a78-4d86-b112-ccf1750024e9.filesusr.com/ugd/b46e2f_e59a800f5fc54609842fdf57c9df0250.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc1d.bin
5bb1870999d8918fa0fbda6f158671d74ce526c4c0373e02f3818021ff3ff212		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC1D 5396 bytes
font_01_sfnt_off00010e21.bin
b41ffe0f3595fc9a4aaa2f152f18b4d5245d5c1a55343200cbd69c991b93d43c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E21 12676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.