Malicious PDF — malware analysis report

Static analysis result for SHA-256 497f9a0c7cf1ac68…

MALICIOUS

PDF

74.2 KB Created: 2021-03-25 04:15:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4afe881fd831b28f2a44b7c777de66c2 SHA-1: 72135b4626a42724ff669b751bf5abfffcb3ae58 SHA-256: 497f9a0c7cf1ac68dfaef240aedc90ade4c158e384b3d4c107db1908ea8af786
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document contains numerous external links, with one prominent link pointing to 'dafemum.ru', suggesting a phishing or malware distribution attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate the document is designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=rhetorical+devices+in+into+the+wild+chapter+1
    • https://cdn-cms.f-static.net/uploads/4488116/normal_60253b859a7ce.pdf
    • http://walolexokesufa.sportsontheweb.net/holt_mcdougal_larson_algebra_2_online_book.pdf
    • http://woxijakuzadajew.getenjoyment.net/what_was_the_iron_curtain_during_the_cold_war.pdf
    • https://static.s123-cdn-static.com/uploads/4388065/normal_5fc92eeedf41c.pdf
    • http://vimobewawulipiz.mypressonline.com/camara_lucida_roland_barthes.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://507f79ed-2408-4027-b124-45ed49bded7d.filesusr.com/ugd/2de61b_a80ad2e954594c158bd0bdd013009027.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b0aeba28-9d0c-442e-96ae-aa013db21a8e/fijogogorozaruxuxopanap.pdf
    • https://uploads.strikinglycdn.com/files/18ef1b7f-8469-4811-b05e-1fdf0843861a/how_to_write_a_case_commentary_in_law_uk.pdf
    • https://uploads.strikinglycdn.com/files/46093f05-f23b-4a1f-ac77-a097808100ff/turaseguvunuxupuno.pdf
    • https://uploads.strikinglycdn.com/files/46d31b34-800b-41f3-a610-6f9c3cf041f6/how_to_adjust_overscan_on_tv.pdf
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_ddecf647fff340c29ff1aff31b4b6ff2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6ddd1e13-e8ba-4d60-a059-b62cd185c741/how_to_implement_oops_concept_in_javascript.pdf
    • https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_3825ae9ec6c949a6b61a87d947c45469.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4feb7267-be4c-4243-9345-e2b9af36b281/romeo_and_juliet_movie_violin_ringtone_free_download.pdf
    • https://uploads.strikinglycdn.com/files/313a6cc5-57e3-4b8a-931d-2a3097e4aa48/7613889283.pdf
    • https://uploads.strikinglycdn.com/files/111d7aa4-4fcd-4fd8-804c-8a2c7b1b95a3/guvimosolomisibaxu.pdf
    • https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_62bcbfde348c49dd940b5a9b210f9a53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4e7.bin
fa0903aecbab497d047c3e03858787fab7c556c509d513ed89a770581d4e00f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4E7 5372 bytes
font_01_sfnt_off0000f742.bin
c975e3ccdeecd3c08d57ca1b9c0c218bb620fb082226c78d8d3ef800142cd299		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF742 10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.