Malicious PDF — malware analysis report

Static analysis result for SHA-256 43b20e519452ca5e…

MALICIOUS

PDF

73.3 KB Created: 2021-03-22 20:52:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 49391dcf255ae5075f8d40d013d8f7c0 SHA-1: 5147160dd039d228b81fe759648e6e454f95b882 SHA-256: 43b20e519452ca5e6e7ba59faf7966f6b30d51a279a5c6564c7e59d3084fe862
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. The presence of numerous external links, particularly the one pointing to 'fokemale.ru', suggests an attempt to redirect users to potentially harmful content. ClamAV also detected this file as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=junky+free+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4492588/normal_5ff26df83f34b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4449793/normal_5fec1c4479fe4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4497650/normal_602a477ac5490.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413982/normal_601f5c364235c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366407/normal_5fea44bc14f84.pdfIn PDF document text
    • https://cdn.sqhk.co/mojekuvugise/biccDig/jibomelezipovevazaret.pdfIn PDF document text
    • https://cdn.sqhk.co/baruduwege/c1ubjjg/zz_top_afterburner_tour_stage.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/pajeriramal/9031283306.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12b41404-f0f3-4030-8622-c11a57af753d/what_are_the_types_of_covid-19_diagnostic_tests.pdfIn PDF document text
    • https://s3.amazonaws.com/xuzakob/how_to_use_video_on_nikon_d800.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1274ae62-87da-4eb3-9d31-7e776f676ba6/dell_latitude_e6430_laptop_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6eb4f5fd-242c-4d0e-a777-10cdc09aab62/27182112301.pdfIn PDF document text
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_a0c73eec47ee40199ab667c056e31203.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/84a7686b-e101-49f2-b4e0-5e9e9e88bac4/tuzamafawoleko.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc60cda4-461b-4695-8f11-5796b81790f0/how_long_to_clear_skin_through_diet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e43ff8d-ede9-4886-8e0d-cffb2e2ce7ef/jagutazurijokunulafaf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea36274e-cd76-4789-9ca9-cd06c53b79ed/what_does_operational_readiness_mean_in_the_army.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0231965-d5f7-4e6f-b1f1-da741e85df1e/troy_bilt_27_ton_log_splitter_hydraulic_fluid_change.pdfIn PDF document text
    • https://s3.amazonaws.com/desekusoxi/4917660412.pdfIn PDF document text
    • https://71a0d42b-91d5-4e94-9338-ff69ca8a624b.filesusr.com/ugd/e5d5e5_ee02e5e0f0a3417780d2d40224698b81.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8CC 4772 bytes
SHA-256: 49bd4d0854a7120c8ba8fed97b59c159fd2f0b6ab48ea15a8cd7968189e319e4
font_01_sfnt_off0000e930.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE930 15280 bytes
SHA-256: dfb46382886c50efe8e02286271b96432a850b5f92550fddcc5d005a4fa580ea