Malicious PDF — malware analysis report

Static analysis result for SHA-256 49860f13e4a67c8d…

MALICIOUS

PDF

81.3 KB Created: 2021-05-17 04:36:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89ff3b4e76586b5433c0e7febf4bd348 SHA-1: 19e16e59d34b3d8bea72fd325172201b9208a147 SHA-256: 49860f13e4a67c8d37c0fcf7f627f833887a055096c98928f6e2b79fd482e9f5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm designed to direct users to malicious sites. The heuristic PDF_SEO_LINK_FARM specifically flags this behavior. The presence of a URL pointing to 'dugedepap.ru' with a 'strik' parameter suggests a phishing or malware distribution attempt. While no scripts were directly extracted, the PDF structure and heuristics indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=fifty+shades+free+books
    • https://cdn-cms.f-static.net/uploads/4479435/normal_600ff940c58a2.pdf
    • https://cdn-cms.f-static.net/uploads/4469852/normal_605247d0903cb.pdf
    • https://cdn-cms.f-static.net/uploads/4463812/normal_600a04f09f4f8.pdf
    • https://cdn-cms.f-static.net/uploads/4477162/normal_603635a750a52.pdf
    • https://static.s123-cdn-static.com/uploads/4388272/normal_6000660b4b6c5.pdf
    • https://pumaxodevuk.weebly.com/uploads/1/3/1/8/131872084/kegomizewajaparepo.pdf
    • https://cdn-cms.f-static.net/uploads/4465703/normal_60402c3608d2e.pdf
    • https://static.s123-cdn-static.com/uploads/4414687/normal_5fca64db085b5.pdf
    • https://lurufabufukigo.weebly.com/uploads/1/3/1/4/131407807/170c533c6b1a.pdf
    • https://static.s123-cdn-static.com/uploads/4416136/normal_5fc924e7cc792.pdf
    • https://nurifekuti.weebly.com/uploads/1/3/4/5/134516663/xofeg.pdf
    • https://nevimemiwuje.weebly.com/uploads/1/3/5/3/135332714/29f78359.pdf
    • https://birugenok.weebly.com/uploads/1/3/4/6/134632973/fixaluxu.pdf
    • https://cdn-cms.f-static.net/uploads/4404103/normal_604e47c484291.pdf
    • https://cdn-cms.f-static.net/uploads/4423700/normal_602593d07ea7b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://e0d0d77b-4c00-4265-bc22-f0cc5cf11ada.filesusr.com/ugd/957eb4_428aa0b5b6164b1686b5cd45d7ddd64d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/944ec39d-622c-4731-a334-e1b21a1ed89f/lease_agreement_termination_notice_format.pdf
    • https://e4034479-4ead-418b-af8c-5be8dc72bdbe.filesusr.com/ugd/1e8759_4c193011b573460e8812eba0e3d0c3b4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7fa2c499-52ed-42e8-8588-ba3d2dfe7d21/13880503217.pdf
    • https://uploads.strikinglycdn.com/files/d4b8d445-1030-41a1-8180-eca800ff2b45/gefeg.pdf
    • https://uploads.strikinglycdn.com/files/047b5a9d-3692-4f6e-bd4e-b602737cadf2/what_is_b13_service_on_honda_odyssey.pdf
    • https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_c9edd299f9054252a7236dc9db15b603.pdf?index=true
    • https://968bac2e-1409-45a7-bd11-2c37eba47390.filesusr.com/ugd/c81504_616f66f274ce4b0f914518fc20c925a1.pdf?index=true
    • https://8ed7ad90-0d0e-491f-9c15-1f6cd5a61d18.filesusr.com/ugd/f1a804_a4a8100607204ea39fa6ceefa492e1ca.pdf?index=true
    • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_b18eef43691b487093721eccca7acef0.pdf?index=true
    • https://010f2e21-25ca-4560-806d-08cbbb7c7db1.filesusr.com/ugd/74a852_5a487b43b63e447e80240272e919898b.pdf?index=true
    • https://f9cb7010-568c-45d0-b0a5-7bd630b60272.filesusr.com/ugd/b10ea2_9d0bee20895747e6918bdba826e1c8de.pdf?index=true
    • https://da54c32a-99c7-4590-8520-800dd2d1cae3.filesusr.com/ugd/7973d2_d5f4e21d0145494f8fa19aef8311eed7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f415.bin
c7b6013da24aa0e4e39080c7d794cb0e31073d8f5f2943e9f7db35aabd7ba85a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF415 4908 bytes
font_01_sfnt_off000104d7.bin
9ec02a9a289817725a6a9a5004213ee112e8e17ee8402f58ab83816f55473da6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104D7 10576 bytes
font_02_sfnt_off0001290f.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1290F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.