Malicious PDF — malware analysis report

Static analysis result for SHA-256 48de0594451d4849…

MALICIOUS

PDF

76.3 KB Created: 2021-03-24 20:22:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e831b25c18da15a6d9e58bd6b24ea55 SHA-1: 36c7fcc5bb6f86ddc428d46e2abf704099800aee SHA-256: 48de0594451d4849422715cf86b83b3fd04f780fd777e9195f01cb79efdbec34
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized to appear as search results, including one for 'aerospike engine design pdf'. The primary malicious URL identified is dafemum.ru, which likely serves as a distribution point for further malicious content. The presence of numerous links suggests a link farm or phishing attempt designed to drive traffic to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9264

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=aerospike+engine+design+pdf
    • https://static.s123-cdn-static.com/uploads/4444869/normal_5ffce4d374e99.pdf
    • https://cdn-cms.f-static.net/uploads/4403121/normal_5fe6beb8115bd.pdf
    • https://static.s123-cdn-static.com/uploads/4382418/normal_5fe4a478229e2.pdf
    • https://cdn-cms.f-static.net/uploads/4384832/normal_602efc5886af9.pdf
    • http://pay-order.info/dovumebibejikefopife3g1mw.pdf
    • http://monidokazuxawop.22web.org/7813635942.pdf
    • http://wutoxurusot.iblogger.org/walmart_school_uniforms_pants.pdf
    • http://allmedbook.com/565955218709emzp.pdf
    • http://funseeds.site/15607173593mhcpz.pdf
    • http://islemleriniz.org/51398541639ofbzh.pdf
    • https://static.s123-cdn-static.com/uploads/4388422/normal_600903e335d9c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://466f9527-ada3-48b4-ac0c-4ba5546996ca.filesusr.com/ugd/a4b6b9_7a1aee5a3acb40f6a7693625bf6f73bf.pdf?index=true
    • http://bisiziwaros.epizy.com/81800078958.pdf
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_355ef92ec831489da5dc58ea88bde4af.pdf?index=true
    • https://b7953657-6b45-4ea9-9d9d-f701e3f26526.filesusr.com/ugd/45996c_c7218598bfe443b18251caab7aac3b7e.pdf?index=true
    • https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_fd53310af9404954aa64a47ca8cd5a95.pdf?index=true
    • https://18e7ef82-5c75-44fe-ae22-4c356c2c9ce0.filesusr.com/ugd/749e61_8943f85ff43b4625b230d4d1352989b6.pdf?index=true
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_0e501707435a40ffa3f14b2e4efbd45f.pdf?index=true
    • https://72dfff08-f6cb-4f5d-aaac-ebe71175d6a6.filesusr.com/ugd/c268f7_d0ec8541f5f84125af95da5bf7f8ce10.pdf?index=true
    • https://2ea9429b-0332-4ee6-bb75-ab9535b56c99.filesusr.com/ugd/e2f7e1_07387f9cb522416d9a6333f125a7769a.pdf?index=true
    • http://bubotelerokuz.rf.gd/31501292858.pdf
    • https://ce2645ba-e89a-43d5-afff-5c0150757291.filesusr.com/ugd/c63dba_c1d3e15c9e54410f8bb66cf1230dd53d.pdf?index=true
    • http://buzidasore.rf.gd/fugebotutudut.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f662.bin
35e608a53c21515b00862ae8a2773449d14fe77e2b5c6a4b7df690b704cfbf45		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF662 5020 bytes
font_01_sfnt_off0001078f.bin
b67259db815d9f255014110ce9fe33a06390af66e35384f7162d071b10953560		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1078F 11172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.