Malicious PDF — malware analysis report

Static analysis result for SHA-256 5228c5bd551f78c5…

MALICIOUS

PDF

74.8 KB Created: 2021-02-13 06:38:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb85ab7dde7eb3725ef65d06bcd5588c SHA-1: 7baa2f5e61a7642caedcd03718b8ee7ad7d1bb5f SHA-256: 5228c5bd551f78c585b5d87af9bdb307293c4cb45286c24de8449f3fcb4c6461
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on dynamic DNS services or file-sharing platforms, suggesting a link farm designed to host or redirect to malicious content. The presence of a 'download button' heuristic further supports a malicious intent to trick users into downloading files. ClamAV detection as 'Pdf.Phishing.Trojan' confirms the malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=final+fantasy+mod+apk+xv
    • https://xomugewobi.weebly.com/uploads/1/3/0/8/130814749/4423202.pdf
    • https://zoxuzula.weebly.com/uploads/1/3/4/4/134489613/5014748.pdf
    • https://static.s123-cdn-static.com/uploads/4409098/normal_5ff9f64115c69.pdf
    • http://ourfutures.space/324226967414gwsl.pdf
    • http://normaa-id.com/12955089804uddpa.pdf
    • https://vesanalu.weebly.com/uploads/1/3/1/4/131482823/a289917bceacd01.pdf
    • https://jibogikufojubu.weebly.com/uploads/1/3/1/4/131438018/8959981.pdf
    • https://cdn-cms.f-static.net/uploads/4421764/normal_5fe787e744f89.pdf
    • https://cdn-cms.f-static.net/uploads/4425009/normal_6021e8459281b.pdf
    • https://peruvapi.weebly.com/uploads/1/3/0/8/130813059/gasij-suzodudok.pdf
    • http://idealica-italiaufficiale.website/bakery_near_me_ice_cream_cake101y8.pdf
    • https://cdn-cms.f-static.net/uploads/4501229/normal_6023f750920ef.pdf
    • https://karezolakep.weebly.com/uploads/1/3/1/3/131398125/dadezilap.pdf
    • https://meronikam.weebly.com/uploads/1/3/4/7/134705372/58c0c18c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://besasasef.rf.gd/tencent_gaming_buddy_64_bit.pdf
    • http://zoxuditavuvov.rf.gd/xetojokeduvasu.pdf
    • http://bifazulenamo.epizy.com/97399322974.pdf
    • http://tesoxukezeziles.epizy.com/full_audio_quran_recitation_and_transliteration.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d534.bin
d8b907802410e675ceca2784509e58a9dae2947c1b2ad43e3e0c02687eabed47		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD534 2952 bytes
font_01_sfnt_off0000dfc2.bin
b9c4e999d35dca7997f885e7877a253adb6bd31e6875681413be9b729c53150a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFC2 5340 bytes
font_02_sfnt_off0000f1f2.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1F2 1800 bytes
font_03_sfnt_off0000fa80.bin
c7b7f2abedbbd343fcb6475dc225d778d2e819f4afc69b8d81157571b5bebd94		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA80 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.