Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a77a8740440250e…

MALICIOUS

PDF

82.7 KB Created: 2021-03-17 10:19:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1878452a72ad138c0cdb151ac6b2422f SHA-1: aa86c5816557c88a4641bf82ee324698bb964cfc SHA-256: 4a77a8740440250ee971ccb25d0fad20853d643871d59e3bb947640c7285b7b0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files. One of these links, https://dafemum.ru/award?keyword=rf+antenna+types+pdf, is directly embedded and likely serves as the initial lure. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with phishing or SEO-based malicious distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=rf+antenna+types+pdf
    • http://true-board1.club/jijaledadik1hsjs.pdf
    • http://agent-spv.space/bodyboss_nutritiontyhe6.pdf
    • http://mynasert.online/73092317700pxmo3.pdf
    • http://shopyou.online/cabotage_laws_of_the_worldj1dtt.pdf
    • http://tidirakozodawon.getenjoyment.net/axxess_aswc_1.pdf
    • http://sixesijilolun.mywebcommunity.org/ansul_fire_suppression_system_price.pdf
    • http://pebonemariv.mypressonline.com/singular_and_plural_possessive_nouns_worksheets.pdf
    • http://gakawisogafuga.mygamesonline.org/what_you_need_to_record_your_own_music.pdf
    • http://kulinar2020.site/ripefejejotupoja1lc5z.pdf
    • http://ronebiwoti.22web.org/49882608224.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8eb0ff2f-1b5f-41fb-a82b-bf279dc7f43e.filesusr.com/ugd/868f76_dd1cc54e097945ada2b2449d3c87f34d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5da6454f-cd2a-4a5f-90b5-1bfadc54a901/gone_with_the_wind_sequel_summary.pdf
    • http://sutexuvidag.myartsonline.com/68858159426.pdf
    • https://7a9095e9-4ba3-4ff7-9406-a75d0382ce8a.filesusr.com/ugd/db93e9_d934a1020e2f499a988607f9633d534f.pdf?index=true
    • https://01477de9-116b-42a6-a62c-54244336611e.filesusr.com/ugd/dea9e9_39fe19189a1341db979b17d10be2124d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a69f852a-1a59-447c-ac44-b598fa8d4569/nesefazosevore.pdf
    • https://uploads.strikinglycdn.com/files/94edad7b-4fcd-4615-a69b-2d6ed2302a87/fovarabupaxerewa.pdf
    • https://d67926d6-99fe-48a4-938f-95006fdf2de6.filesusr.com/ugd/21d82e_daad5dcc803b453386301ae738de5ec9.pdf?index=true
    • http://dulibifusarumo.rf.gd/que_significa_la_palabra_instruir_biblicamente.pdf
    • https://uploads.strikinglycdn.com/files/7fd150b9-24d1-4dc6-adec-4ca908b1b9b1/guitar_chord_chart_for_left_handers.pdf
    • http://xuxuxal.epizy.com/30303005883.pdf
    • https://uploads.strikinglycdn.com/files/cb6a9c7c-5540-42d2-88d1-f3b75be14e7b/6929743281.pdf
    • http://samowegepor.rf.gd/sample_appraisal_form_for_doctors.pdf
    • https://uploads.strikinglycdn.com/files/c5e38381-4b60-4e5a-9cdf-ddbb985e75a0/elkay_water_fountain_service_manual.pdf
    • https://uploads.strikinglycdn.com/files/24c3465b-d6a0-4cf4-81da-0580f8385c93/best_essential_oil_recipe_books.pdf
    • http://leporib.epizy.com/gta_sa_cheats_for_android_mobile.pdf
    • https://uploads.strikinglycdn.com/files/7a613b05-b211-473e-992b-6c27239840d1/how_to_use_google_maps_for_directions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001081f.bin
e3ca2b36ddc148aa9470d8637d3bbaa41952aea7ab06155b98d25c5f08aae8b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1081F 5016 bytes
font_01_sfnt_off0001195a.bin
9b2fe39ad6927ab941379800a49a9a2427b171abb2f9edba2737456d2bca4f65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1195A 10532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.