Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c0964e1c02a0697…

MALICIOUS

PDF

80.8 KB Created: 2021-03-23 15:55:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e066190bc703846223745a3cf7f661e SHA-1: 1148aa6446430f75b71e127516bc05f9aa1dd47a SHA-256: 3c0964e1c02a0697438b8bf98153c0eaa3f048b3728210fd77b29c69f21f677e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains a large number of external links, with one notable URL being 'https://druttle.ru/award?keyword=contract+farming+agreement+format+pdf', suggesting a phishing or SEO-based malicious campaign. The ML classifier output of 0.999272 further supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=contract+farming+agreement+format+pdf
    • http://dakisemakegag.sportsontheweb.net/amnesia_global_transitoria.pdf
    • http://sudilufib.getenjoyment.net/joduwopasinalo.pdf
    • http://luziniwanemek.sportsontheweb.net/jetoxunigikuvuni.pdf
    • http://zexaribamemavi.sportsontheweb.net/wikomuxavedijob.pdf
    • http://guvetosufawi.22web.org/the_monkey_king_havoc_in_heavens_palace.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kiwopusafize/5kplayer_free_for_pc.pdf
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_caf5a6e514244f38a0791c40ccff5919.pdf?index=true
    • https://efa91360-7c21-416c-9d60-3189e0beb381.filesusr.com/ugd/42ffc7_c9f383005c91428092abcb2a99e11d8a.pdf?index=true
    • http://perexuwofogefo.onlinewebshop.net/how_to_turn_off_schedule_on_trane_thermostat.pdf
    • https://uploads.strikinglycdn.com/files/725039b9-14a9-4554-899b-ae0077a52e93/retonu.pdf
    • https://a95edb9d-21e5-46e4-bb1b-b1fdf66a5dae.filesusr.com/ugd/09e34a_a243c960f02643e39cae3e9314324ce1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e9024bcd-c3a9-4726-a9b2-e5380f5acd2a/dmso_natures_healer_espaol.pdf
    • https://0feddc0e-03bc-46a3-a741-45303deff239.filesusr.com/ugd/6ea6a2_b04cccbe2c954aaba6df9b412b4cfdc6.pdf?index=true
    • https://b7eb3c74-9f10-4efd-a612-efb7ea03662f.filesusr.com/ugd/7198c1_c23e2328568149988ebfc7c5f1785979.pdf?index=true
    • https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_e53c7eb219b2408f80669a1d9e4750d3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3ca96f5f-15c0-4c2c-9ce4-75bf7e7f19eb/47678326272.pdf
    • http://vinagakibozune.rf.gd/46321429000.pdf
    • https://92fed17e-af34-466b-b3fe-38cd9ef27699.filesusr.com/ugd/192d58_88de361d46f34365bf96a720fd578fd8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1c2aa8d4-5e4a-4a60-a5e8-065387bcf1f7/how_do_i_find_the_phone_number_for_my_verizon_jetpack.pdf
    • https://68358877-4ee6-4e53-94f7-4bd9665c1f53.filesusr.com/ugd/3bbd68_4ef28c3bf74048b98499dc9acb69c515.pdf?index=true
    • https://uploads.strikinglycdn.com/files/03e8004c-7530-4963-b879-6769f0ee3706/how_to_increase_stamina_for_playing_football.pdf
    • https://s3.amazonaws.com/tugabijenovili/fios_router_g1100_specs.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_97d046062b3f4aa78c44b4fa3d55b21e.pdf?index=true
    • http://fozipifi.epizy.com/33189396891.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fda7.bin
71bd018804845c68a4edab482ef70f3f535012c3d3a6b32640195e890903aab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDA7 5168 bytes
font_01_sfnt_off00010f25.bin
0ee0d32f333d96c3257104ffc55e5e6f7442a87fcc8d660f2037ce607455aaac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F25 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.