Malicious PDF — malware analysis report

Static analysis result for SHA-256 539874d0af6dcde0…

MALICIOUS

PDF

83.6 KB Created: 2021-05-31 03:46:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a362e920b968c323f7a8dab8af35c8e SHA-1: 24c3b031505c977039e306585c1419e971d2c36f SHA-256: 539874d0af6dcde0666f981c25980e999f1ba76844ec2e7197779e33830e7198
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to domains associated with link farms and potentially malicious content, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this PDF as malicious, specifically as a phishing or trojan variant. The embedded URL `https://dafemum.ru/strik?utm_term=letra+de+gracias+sublime+es+en+ingles` is a primary indicator of the malicious intent, likely serving as a redirect to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=letra+de+gracias+sublime+es+en+ingles
    • https://tajusubinem.weebly.com/uploads/1/3/4/8/134886452/saxavusavejebixozize.pdf
    • https://miruvogix.weebly.com/uploads/1/3/1/4/131408245/juteduboda-wurumunowexisu.pdf
    • https://nenojidadexodu.weebly.com/uploads/1/3/4/3/134351563/bamevogexiwagiromuw.pdf
    • https://cdn-cms.f-static.net/uploads/4472208/normal_5fd37b058911a.pdf
    • https://lalevajapogos.weebly.com/uploads/1/3/0/8/130874146/wirekofujerosom.pdf
    • https://wubomedigupuda.weebly.com/uploads/1/3/4/6/134696881/ribesalitaxekusi.pdf
    • https://static.s123-cdn-static.com/uploads/4470977/normal_600749451c1bc.pdf
    • https://kizekusoviwo.weebly.com/uploads/1/3/1/4/131453028/fogevebabapakodud.pdf
    • https://pizakatunif.weebly.com/uploads/1/3/1/8/131856177/c23a981fb5.pdf
    • https://vizegibog.weebly.com/uploads/1/3/4/4/134458583/8775325.pdf
    • https://vekeliludodim.weebly.com/uploads/1/3/4/7/134745250/eaa324.pdf
    • https://fadejumiz.weebly.com/uploads/1/3/5/3/135349507/4864574.pdf
    • https://lomowurepiv.weebly.com/uploads/1/3/1/4/131437546/8647656.pdf
    • https://cdn-cms.f-static.net/uploads/4465545/normal_604d1326d7caf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9b2dbe36-565e-4684-8942-dfb28ef4c68f/daxaposagexerug.pdf
    • https://uploads.strikinglycdn.com/files/6b39207f-b189-45b6-9903-6df5bc3df46f/femepirasuxov.pdf
    • https://uploads.strikinglycdn.com/files/a14627a6-5b0e-4e6b-a59d-290870583c47/epic_emr_tips_and_tricks.pdf
    • https://uploads.strikinglycdn.com/files/eccd2ecd-c3e0-4f76-867b-3f8e6aca731f/female_jumping_spider_lifespan.pdf
    • https://uploads.strikinglycdn.com/files/baf64b93-e910-4f3b-862f-61bc4e4ff59a/letra_de_un_mundo_de_caramelo.pdf
    • https://uploads.strikinglycdn.com/files/6d151399-187b-49a9-a692-38253cc07de6/a_thousand_splendid_suns_book_review.pdf
    • https://uploads.strikinglycdn.com/files/f8cbfc4a-410c-4f42-9fbe-40729d829115/pozejarupexuwepeso.pdf
    • https://uploads.strikinglycdn.com/files/69de2ac9-0eba-4374-b794-89388e2fd3d3/22661214550.pdf
    • https://uploads.strikinglycdn.com/files/85be7e14-b3b5-4336-aa03-4f9b8a427fa4/where_is_the_best_place_to_buy_gluten_free_food.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee80.bin
4d67c6771b131145da68d324e8881d96b1c9bd7e04822a3af559d50c027ca764		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE80 5340 bytes
font_01_sfnt_off00010097.bin
5b8b847337e0286128bd1d360d015d79748572313561298f9b6289f0c4ab9333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10097 12812 bytes
font_02_sfnt_off00012988.bin
b5457af9b5e012ef97043a658d71e169861154de8a6f4bb9c1462e34426c9a19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12988 16264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.