Malicious PDF — malware analysis report

Static analysis result for SHA-256 531ca428d95d0ac9…

MALICIOUS

PDF

77.3 KB Created: 2021-03-05 14:40:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-29
MD5: 221bb28ee13094f9d5b4c15cb4846c44 SHA-1: b85edbb74171285ee9ff02e1825590ac2c1cc5e5 SHA-256: 531ca428d95d0ac9333950c4f74d69dc93e3dfd0eb0289e92425e9070adbba2a
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by multiple heuristics and an ML classifier, indicating it likely exploits a vulnerability or attempts to trick the user. It contains a large number of embedded links, many of which point to potentially malicious redirectors or disposable hosting, suggesting a link farm designed to lead users to harmful content. The primary malicious URL identified is https://dafemum.ru/wix?keyword=... which is flagged as a known malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=%25D0%25BF%25D0%25B5%25D1%2580%25D1%2588%25D0%25B8%25D0%25B9+%25D1%2583%25D1%2580%25D0%25BE%25D0%25BA+2017-18+%25D0%25BD%25D0%25B0%25D0%25B2%25D1%2587%25D0%25B0%25D0%25BB%25D1%258C%25D0%25BD%25D0%25B8%25D0%25B9+%25D1%2580%25D1%2596%25D0%25BA In PDF document text
    • http://simcars.ru/pogil_activities_for_high_school_chemistry_limiting_and_excess_reactants_answers1ahv7.pdfIn PDF document text
    • http://naturebiolog.space/mafemadekozizukunulu9pf7x.pdfIn PDF document text
    • http://mazikopipovix.mywebcommunity.org/jonoserodepekozakexizo.pdfIn PDF document text
    • http://gasurorir.sportsontheweb.net/twilight_books_for_sale_jhb.pdfIn PDF document text
    • https://kisetizep.weebly.com/uploads/1/3/5/9/135992433/bisipubexova-vofopil-muberujulepum-keviw.pdfIn PDF document text
    • https://mubajodopiwal.weebly.com/uploads/1/3/1/4/131454521/befik.pdfIn PDF document text
    • http://tinesemexogo.mygamesonline.org/how_did_the_civil_war_and_reconstruction_change_america.pdfIn PDF document text
    • https://lipijunozawisek.weebly.com/uploads/1/3/4/7/134721324/vomafajer.pdfIn PDF document text
    • http://fabermanufacture.ru/danby_8000_btu_window_air_conditioner_costco5mxhd.pdfIn PDF document text
    • http://takipibimaxubov.sportsontheweb.net/xexuzotomewasivusawobap.pdfIn PDF document text
    • https://volilisaxox.weebly.com/uploads/1/3/1/4/131453747/9527183.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/vabedafozo/thailand_visa_on_arrival_form_for_india.pdfIn PDF document text
    • https://a121017b-3fb3-450c-9156-48dd71a9bf80.filesusr.com/ugd/07625c_b20c1d88290f4f918fae738dc10505ce.pdf?index=trueIn PDF document text
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_53f47f4b96574d6794861086ba32410d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bulalowisu/emulator_ps3_android.pdfIn PDF document text
    • https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_bdf8ae570b6344b39c87a906784f6e6b.pdf?index=trueIn PDF document text
    • https://945b3f91-9c76-4178-be32-f0dab3cfe2c6.filesusr.com/ugd/8d5d69_1bceffc641f14f65a4494c5eeeeb3a86.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gazivemon/29277761626.pdfIn PDF document text
    • https://1de4b56a-3309-4767-83a2-f1bb1ea7c594.filesusr.com/ugd/a6e5e9_d6711bede05642a8acc2b69c1d1f3e66.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vibuvomomuv/pewuzafixuxuwerigodes.pdfIn PDF document text
    • https://7ef5d8b8-74ac-4e0a-b0a0-fa61ca6462a8.filesusr.com/ugd/23e9be_718b08dbb1384eafaafbd326f48204a6.pdf?index=trueIn PDF document text
    • https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_4886d43e195c4e39b461e43283839065.pdf?index=trueIn PDF document text
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_478424d3a87c49daa4825276f7477500.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF7E 6280 bytes
SHA-256: 46b2cf70524e8eb87d46378b976e8cc038d7fd426e9cf0130bb63fccecbf3361
font_01_sfnt_off0000f440.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF440 15796 bytes
SHA-256: 59d5f4d0324e7695fa97bf014cd0035bb959dfc384137940cb0449725e97d36f

Open this report in the interactive analyzer, or submit your own file for analysis.