Malicious PDF — malware analysis report

Static analysis result for SHA-256 31f772efe3f49e2c…

MALICIOUS

PDF

91.0 KB Created: 2021-03-25 09:20:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b500cf67afb3578b139a1f31d2d8844 SHA-1: 521287aa41e8f10269d0285751d553be4871bace SHA-256: 31f772efe3f49e2cc7bf9f8e0f6eb1f13a4c38d1981fee1e9b7bd9bd01e78921
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to PDF files hosted on various platforms, suggesting a link farm designed to distribute malicious content. The presence of a specific URL related to 'touchgrind bmx mod apk' indicates a lure for potentially unwanted software. ClamAV detection and ML classification strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=touchgrind+bmx+mod+apk+1.29
    • http://operationhomeplate.com/betujubilogim.pdf
    • http://creditstar-kabinet.com/joleskywe7.pdf
    • https://cdn-cms.f-static.net/uploads/4389074/normal_600e48d4c5f1d.pdf
    • https://static.s123-cdn-static.com/uploads/4466673/normal_5fdca4ba47c5f.pdf
    • https://vedisowokiwovos.weebly.com/uploads/1/3/4/7/134767265/448aa501eb.pdf
    • https://bipejazikapidim.weebly.com/uploads/1/3/4/5/134529651/4200352.pdf
    • http://bigops.fun/63132226104tgqg1.pdf
    • http://bridgecommerce.com/456164251964r2qq.pdf
    • http://lifeit.pro/msi_h81m-p33_drivers_free_download8e8ay.pdf
    • https://bemujegifa.weebly.com/uploads/1/3/5/3/135312506/gojanazesaru_vinolubipepojem_dobufovopu.pdf
    • https://cdn-cms.f-static.net/uploads/4502500/normal_60505f6a5053d.pdf
    • http://kraftmann.su/10450952906tdl9t.pdf
    • https://nukawopuriw.weebly.com/uploads/1/3/4/3/134347541/941958.pdf
    • http://robinmani.site/planeacion_para_preescolar_35ak5f.pdf
    • http://lessonsonline.site/nba_2k18_vc_freecw90k.pdf
    • http://businesslinecenter.com/schaums_outlines_differential_equations5nd8t.pdf
    • http://romeita.fun/primary_cell_culture_protocol1vi1s.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d5cf8aa4-bbe7-4def-a264-9d60ca1aa8a2/4451845418.pdf
    • https://uploads.strikinglycdn.com/files/89bc0a63-4c72-477f-b4bc-17f585d390b6/what_is_the_difference_between_the_warrior_diet_and_omad.pdf
    • https://uploads.strikinglycdn.com/files/c87fa029-3670-4d46-80fb-677072698bda/crock_pot_digital_instructions_symbols.pdf
    • https://uploads.strikinglycdn.com/files/e6ec3e06-c7be-4de8-8b78-a44a744f4cdc/bose_sounddock_iii_bluetooth_adapter.pdf
    • https://uploads.strikinglycdn.com/files/38a4f213-a359-4f23-a1c8-7b8260d2cc8b/power_electronics_17638_mcq.pdf
    • https://uploads.strikinglycdn.com/files/d4d40abb-f686-4a1c-a6ca-830748421099/1989199382.pdf
    • https://uploads.strikinglycdn.com/files/e69893e4-41dd-4a81-8497-8fc530f9abff/algebra_2_multiplying_complex_numbers_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/b081f6b6-963d-4c0e-80dd-748c28649548/how_to_restore_corrupted_data_on_ps3.pdf
    • https://uploads.strikinglycdn.com/files/f96d2635-4fbe-471c-a8c9-35cb56b918a0/dream_interpretation_snake_bites_cat.pdf
    • https://uploads.strikinglycdn.com/files/4842ce36-6f8a-4ff9-a5c1-07f4fa571936/football_manager_2020_mobile_review_ign.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011c4c.bin
7a17a1ca0a45e52b04a9b01a82559f4f6b43ef34e0220a56c682bc5af984e9c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C4C 5868 bytes
font_01_sfnt_off00013028.bin
455d51fb8c1d96337fbe06580254eca797da704419f2d6d2bad0a597f5d48df0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13028 17248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.