Malicious PDF — malware analysis report

Static analysis result for SHA-256 31f0af5672eb3cfe…

MALICIOUS

PDF

81.6 KB Created: 2021-05-21 11:08:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: b763cfa56090c246ee445ac5be00a15b SHA-1: 58d3a8e523ed82568d12d2de252e35e39633c5b6 SHA-256: 31f0af5672eb3cfeee3351dd2971a0739e878e0483b85985b14e27fb8824a250
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=is+it+good+to+burn+3000+calories+a+day PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4368954/normal_603773f27da99.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409238/normal_601d8b1f8c313.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465691/normal_60175c6a1f223.pdfIn PDF document text
    • https://levapexufusetij.weebly.com/uploads/1/3/4/9/134904519/4969323.pdfIn PDF document text
    • https://nurifekuti.weebly.com/uploads/1/3/4/5/134516663/gulurapufi_ravuzasos.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446784/normal_5fdc217c76e2a.pdfIn PDF document text
    • https://favaruzikab.weebly.com/uploads/1/3/4/8/134871436/semus_gakoxak_xafexalanipi_loxevimeziru.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379473/normal_6012fb34579d7.pdfIn PDF document text
    • https://tabogivazosepa.weebly.com/uploads/1/3/1/8/131871767/dadezosaxov_lipebok_medadujosujix.pdfIn PDF document text
    • https://zukixemafeka.weebly.com/uploads/1/3/1/3/131398149/90736f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/d02da8f8-331a-4214-b2fa-249f9ce11bcb/logomikitifewir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d592e21-be6d-4923-bc47-7394ad0161d0/how_to_setup_sony_universal_remote_rm-vz320.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ffb2da6-3917-444a-80da-cc7448ec5156/finaweruzoxamimuvatutuzoz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bad830d-1afb-4590-93fa-06a85e7e9f05/fomoganixaxu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c3aee996-b2ac-4c5c-9331-79ad1e15957f/why_quantum_physics_is_important.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c6c2d66b-dd86-43c5-b5e2-de95d1e044b3/fisher_and_paykel_dishwasher_dd605_service_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/113f1c2d-0468-47e0-bb09-efde8f4e9791/simple_anime_drawings_step_by_step.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89eb3aeb-fce2-4161-88a7-7fb61e5ca834/husqvarna_riding_mower_yth24v48_drive_belt_replacement.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc83d53b-385f-449d-bed6-2bf858109550/samsung_aquajet_vrt_washer_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d59f1cd4-db3e-43b6-b41d-b95f0580c058/canon_mp240_replace_ink_cartridge.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/358eb0b7-6622-42fa-b4b5-845d2db0d50e/13395936268.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e427f57-5bb5-4800-ab31-da49e31148b6/jeu_de_carte_personnalis_qubec.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/825b4943-d88a-4b99-be94-e09317316d9b/criticisms_of_rational_choice_theory_criminology.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/468800be-16c7-4762-b97a-ba4bbdf8690a/xevukot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87f6c001-ea07-4c28-a1ce-db6014e5f102/boxenerabiduramu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b737ddac-949b-45a7-852a-2aaafb0b7b6d/71634003773.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c626a3e-fe39-493f-9b8f-95eef2ba5721/zizobotogibis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bde06648-0c1c-483f-a575-cad8e2d5617d/fluke_t5-1000_instruction_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3fe90c16-f30b-44f5-9e13-90c7f36a03e9/what_are_the_5_forms_of_prayer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ddc25f5-d7d2-4bb3-b506-a2f14a3d343d/haier_washer_dryer_combo_owners_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f128.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF128 5476 bytes
SHA-256: 6ac71e50e0811695d1f6e89d05e03014c6215126c2545a7756efe9f026241bb1
font_01_sfnt_off000103c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103C5 11560 bytes
SHA-256: ba57156487c2d2b4b4dc898dd4eb304b21d97a4fb438011d3902f6496110c165
font_02_sfnt_off00012a20.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A20 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3