Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d9711c7f0729713…

MALICIOUS

PDF

88.5 KB Created: 2021-03-26 10:06:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ad6f706eaa7e5a5de1240adb7dfa239 SHA-1: a8efd5287c35bf40ee4977279a3cf41cd17e7607 SHA-256: 4d9711c7f0729713f5ec9ce2d6b3c8fa21fb5422762c467f6fa8810a09c00d7d
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one pointing to a suspicious domain ('jumiwimov.ru') that is likely part of a phishing or scam operation. The presence of a 'Download Now' heuristic further supports the idea that this document is designed to trick users into clicking malicious links. ClamAV also detected this file as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=bombay+velvet+full+movie++bluray
    • https://cdn-cms.f-static.net/uploads/4409630/normal_601ce46b152d1.pdf
    • https://cdn.sqhk.co/nuwobevina/XyLQIdF/free_netflix_vpn_download.pdf
    • https://cdn-cms.f-static.net/uploads/4450351/normal_602e4256af300.pdf
    • https://cdn.sqhk.co/tezofugowura/fv0iu2n/86689487570.pdf
    • https://static.s123-cdn-static.com/uploads/4424361/normal_600323b66dc2c.pdf
    • https://cdn-cms.f-static.net/uploads/4368763/normal_600cf4e03a1a6.pdf
    • https://static.s123-cdn-static.com/uploads/4482847/normal_5fce7a6f6da25.pdf
    • https://static.s123-cdn-static.com/uploads/4426071/normal_5feb5cd0e5578.pdf
    • https://cdn-cms.f-static.net/uploads/4472775/normal_6052e55ce566c.pdf
    • https://static.s123-cdn-static.com/uploads/4366958/normal_5ffd4b6756b94.pdf
    • https://cdn.sqhk.co/jabosuve/j63JgjG/dark_raider_game_download.pdf
    • https://cdn-cms.f-static.net/uploads/4451954/normal_600b68792073b.pdf
    • https://static.s123-cdn-static.com/uploads/4413468/normal_5ff41ff535189.pdf
    • https://cdn-cms.f-static.net/uploads/4450041/normal_5fd1366ede5a8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.fontrix.comhttp://www.nhncorp.com
    • https://91e55214-10ad-44cf-a10a-60a9392df58b.filesusr.com/ugd/e1c37d_682c460a4f494dbab62d7a2498632402.pdf?index=true
    • https://uploads.strikinglycdn.com/files/11ad4955-2818-4449-bde2-223f8f94fb01/60003427459.pdf
    • https://uploads.strikinglycdn.com/files/dfdfd3cd-17b7-42c3-9eca-f1321334e82a/streetcar_named_desire_movie_vs_play_ending.pdf
    • https://uploads.strikinglycdn.com/files/716af3e5-5ada-4351-8515-db9c8a5fbcff/brother_intellifax_4750e_not_receiving_faxes.pdf
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_ad4de07b6b4548aba2af04ad65ceb74a.pdf?index=true
    • https://ab737b70-891a-4a1f-8db9-ee548211cb31.filesusr.com/ugd/ce14f3_891ae1af4541488aabde6f284260e7c9.pdf?index=true
    • https://9ffa65b4-b95e-481c-977d-2cf6acaa57d7.filesusr.com/ugd/f68d46_aae68ca5b4b643428b7f06f9a28fb376.pdf?index=true
    • https://uploads.strikinglycdn.com/files/befaa78b-6b0e-4633-ae81-f5b0448130dd/mevawuwoj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00012798.bin
212a1d0dbcec2e09356a6a5bd024148ad473dfde73b3ed870b5c4c3e62327272		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12798 23812 bytes
font_00_sfnt_off0000e612.bin
abe353aff190c0b023544f34468576608c531ffaf9d7f5489bf4c14812077a38		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE612 5088 bytes
font_01_sfnt_off0000f758.bin
787c772d79cb3fe093f387f2e218cdca45fc8d01eb05582397998e0cb5f1141f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF758 11532 bytes
font_02_sfnt_off00011eaa.bin
e56f5db8faf554166087922806b3819c377976d94af14c6b8a512386de68c265		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EAA 2056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.