Malicious PDF — malware analysis report

Static analysis result for SHA-256 41f117fe51fcc0bb…

MALICIOUS

PDF

94.9 KB Created: 2021-03-21 22:37:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f4d6a84e906e49c17f91feaf56f4bc5 SHA-1: 74a1d5a97459b17e9785a9512cd59e88e5d42fa8 SHA-256: 41f117fe51fcc0bb9cf6f314d1289ef52822913a5228aa0a4bbab8299effd427
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or link farm attack. It contains numerous external links, with a primary focus on directing users to `dafemum.ru`. The heuristic `PDF_SEO_LINK_FARM` indicates a mass of external PDF links, suggesting an attempt to manipulate search engine results or distribute malicious content. No scripts were extracted, but the presence of multiple external URLs points to a likely attempt to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=simplified+chinese+characters+numbers
    • https://cdn-cms.f-static.net/uploads/4412568/normal_604eff0398c34.pdf
    • http://predouche.xyz/8036053590u2m2e.pdf
    • http://leftoutclub.com/81987504495ee0po.pdf
    • https://cdn-cms.f-static.net/uploads/4420748/normal_6038deed0bc27.pdf
    • https://cdn-cms.f-static.net/uploads/4483365/normal_602183a160b69.pdf
    • http://jajolamuseku.medianewsonline.com/toefl_practice_test_pbt.pdf
    • https://nadaroxiwe.weebly.com/uploads/1/3/4/6/134688146/tijatirukiwij-burozisuvapujo.pdf
    • http://vobajujabu.mywebcommunity.org/wakomuluxituxuwojoravad.pdf
    • https://cdn-cms.f-static.net/uploads/4502870/normal_5fdc186184925.pdf
    • http://delifeschool.com/gelewurimufqju48.pdf
    • https://cdn-cms.f-static.net/uploads/4452386/normal_6056bb9a6070c.pdf
    • https://static.s123-cdn-static.com/uploads/4368222/normal_5fe097b0c13fe.pdf
    • https://lolewifewo.weebly.com/uploads/1/3/4/7/134710585/1312463.pdf
    • http://gudelew.mywebcommunity.org/25393725127.pdf
    • http://wapividazofar.scienceontheweb.net/lufidipewefododawuxefu.pdf
    • http://ru-en.xyz/389206852479fa5i.pdf
    • https://lonunirixug.weebly.com/uploads/1/3/2/7/132710494/6349046.pdf
    • https://static.s123-cdn-static.com/uploads/4446016/normal_5fdcc022ea5f9.pdf
    • https://resusogid.weebly.com/uploads/1/3/5/3/135346187/lejuwojoxikis.pdf
    • http://ketotreno.buzz/94790863001b85v0.pdf
    • https://cdn-cms.f-static.net/uploads/4449001/normal_6051008d0af6d.pdf
    • https://static.s123-cdn-static.com/uploads/4404103/normal_5ff1575f9da60.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1ded8da1-00cb-4dd4-a34b-ae16ffa285d7/midland_gxt_walkie_talkie_battery_replacement.pdf
    • https://uploads.strikinglycdn.com/files/00e9f5e3-7fc2-4fbd-860b-ce9c7ac8c7e1/what_is_first_second_and_third_estate.pdf
    • https://uploads.strikinglycdn.com/files/5269b81f-522e-49f9-8462-8cf9b8b112a4/jololow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010940.bin
14683f4cb0b47a89691a94160c8aaeeb1e506219b3f6acba7e828a2e45e3e77a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10940 13332 bytes
font_01_sfnt_off00013418.bin
3c9c7f6624cf3f27ed2568620e97743e3d6038ab047f5d22c70d95a6aeed6e03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13418 5636 bytes
font_02_sfnt_off00014711.bin
2b6d24e8c0937f8be354504f9ea55dc571f7a458b02903c5cddd33bc0ac2f8b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14711 11236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.