Malicious PDF — malware analysis report

Static analysis result for SHA-256 41fe824539f9029c…

MALICIOUS

PDF

80.4 KB Created: 2021-06-07 04:43:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de97b801dc30a2eae742dc45b2c721c6 SHA-1: d5f1d4e74ba7cda52908f2d75255ca1165ee1de6 SHA-256: 41fe824539f9029cd0acab1dabb44ccf9f42ebf5e911a53dbb2c9e7a4ebbb436
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and ML classifiers indicated a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with one example being http://mokapuv.pbworks.com/w/file/fetch/144612999/435054089.pdf. The embedded URL https://druttle.ru/123?utm_term=amrapali+old+songs is also a potential indicator of malicious activity. No scripts were extracted, but the overall structure suggests a phishing or content-luring attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/123?utm_term=amrapali+old+songs
    • https://boxotegiperofog.weebly.com/uploads/1/3/1/3/131398000/dusekabudo.pdf
    • https://xonoxiti.weebly.com/uploads/1/3/4/6/134679971/bezegaguwoxuk_votirebuse.pdf
    • https://nupinugazazani.weebly.com/uploads/1/3/4/7/134726661/9055758.pdf
    • https://levukuwaxumofet.weebly.com/uploads/1/3/1/3/131383949/fekikomakodegabuw.pdf
    • https://sujixiku.weebly.com/uploads/1/3/0/7/130739139/907ef05a84.pdf
    • https://puziwifatewir.weebly.com/uploads/1/3/4/7/134715637/c5ed98e0f729.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mokapuv.pbworks.com/w/file/fetch/144612999/435054089.pdf
    • http://wesupumus.pbworks.com/w/file/fetch/144669180/56009364362.pdf
    • https://uploads.strikinglycdn.com/files/7b70ae54-ae7a-4b76-a38a-3923263bc941/45504938249.pdf
    • http://kufujibumufa.pbworks.com/f/35907509179.pdf
    • https://uploads.strikinglycdn.com/files/f267bfca-6f01-4b0e-8734-9de2c658e1d0/the_future_of_us_synopsis.pdf
    • https://uploads.strikinglycdn.com/files/5b7dce18-8b5d-455d-a1f6-a4766671c4e3/17297241814.pdf
    • https://uploads.strikinglycdn.com/files/01d1b4fd-0c89-4975-b175-58ca59a6aba4/39577905465.pdf
    • https://uploads.strikinglycdn.com/files/c814b34a-02e5-4fd7-8a1d-9715008ddb44/comparative_and_superlative_adjectives_exercises_perfect_english_grammar.pdf
    • http://pajinap.pbworks.com/w/file/fetch/144496506/what_size_carry_on_luggage_is_allowed_on_delta.pdf
    • http://sufasujozu.pbworks.com/f/surface_area_and_volume_of_composite_figures_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/1eae3ad9-38d6-40f0-ac69-bbde1f7ddc1f/lemivad.pdf
    • http://wekibivu.pbworks.com/w/file/fetch/144629196/43034452496.pdf
    • https://uploads.strikinglycdn.com/files/774760f3-96d3-4c80-849b-c293bf3fc430/2007_toyota_yaris_sedan_parts_diagram.pdf
    • https://uploads.strikinglycdn.com/files/23a253e5-d25a-4eee-945c-94cf58687ac8/the_language_of_flowers_with_coloured_illustrations_anne_with_an_e.pdf
    • https://uploads.strikinglycdn.com/files/e485971a-1232-4bfb-93df-57d7c805a1e2/28009095724.pdf
    • https://uploads.strikinglycdn.com/files/84093423-6252-4dcc-9ae8-ec3ff967d3d1/47752281807.pdf
    • http://gibuwodebu.pbworks.com/f/enriques_journey_quotes_about_immigration.pdf
    • http://xovakovawup.pbworks.com/w/file/fetch/144510921/89174924820.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8db.bin
0b5bdbdb01f836e901e783caf131c706ad4d0061d9f3868e5ac931eeeac49084		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8DB 5268 bytes
font_01_sfnt_off0000faab.bin
260f808f12c90cdcf87645983911e77b310b5d773be6b6406fb9f3fdacd1cdc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAAB 10460 bytes
font_02_sfnt_off00011e91.bin
9c7926b8929b88a1dffb52ec04bcfb477868fd459509337312ce674bafabbb6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E91 16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.