Malicious PDF — malware analysis report

Static analysis result for SHA-256 53b0c3690da74b87…

MALICIOUS

PDF

69.2 KB Created: 2021-04-01 15:42:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5ee894718f6d0bfd66326c52e39b2e1 SHA-1: a944f067664efab41adcc997b48e380ba3460a68 SHA-256: 53b0c3690da74b879c52d567e462294b44d2a33da122abf50adbd9ebd4679a48
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to 'fokemale.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to pairing a Dell mouse, aligning with common social engineering tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/aws?utm_term=how+to+pair+dell+mouse+km632
    • https://cdn-cms.f-static.net/uploads/4452173/normal_601d9e2414275.pdf
    • https://static.s123-cdn-static.com/uploads/4379960/normal_600329607cfdb.pdf
    • https://cdn.sqhk.co/lisutovudaf/ct0jiFc/wumakisumup.pdf
    • https://cdn.sqhk.co/wunemuruk/1Yzhbjb/sheet_basant_ka_nach_program_maithili_video.pdf
    • https://cdn.sqhk.co/dikapagoloza/ihchax1/62481653176.pdf
    • https://mufejuraziga.weebly.com/uploads/1/3/0/8/130814984/9901582.pdf
    • https://ziziwatir.weebly.com/uploads/1/3/4/7/134713039/dozuwob.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://laletanegimiw.epizy.com/balto_1995_movie.pdf
    • https://uploads.strikinglycdn.com/files/a0706e2e-28d8-4554-bf59-4782c8660d2e/definitionsbereich_mit_maple.pdf
    • https://uploads.strikinglycdn.com/files/459576d4-0bfb-42c6-864b-7eff6c6fca4b/89417969601.pdf
    • https://s3.amazonaws.com/xedewofuretujo/vepavakijalobuxejovogo.pdf
    • https://s3.amazonaws.com/rerinago/fodamatuluguvudunuf.pdf
    • https://uploads.strikinglycdn.com/files/8dc547a2-7aad-44a2-a67e-cc1eb4f6916a/hexa_block_puzzle.pdf
    • https://s3.amazonaws.com/suzixegazunow/what_did_jesus_say_to_thomas.pdf
    • http://kuwokezolofe.epizy.com/81749523220.pdf
    • https://uploads.strikinglycdn.com/files/cf6ec062-54c4-407a-a5e2-772d8ae10c90/how_to_teach_number_sense_to_kindergarten.pdf
    • http://boligasenupe.rf.gd/race_and_reunion_audiobook.pdf
    • https://s3.amazonaws.com/pukaridimupo/guardian_ad_litem_michigan_statute.pdf
    • https://uploads.strikinglycdn.com/files/f4f43a19-f0a7-440b-8d70-d65c1cd1d66b/61868568890.pdf
    • http://xakurukedafa.epizy.com/bumejupoja.pdf
    • https://s3.amazonaws.com/luborinizu/cae_gold_plus_exam_maximiser_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cda1.bin
e687ec7cd6cc6dfce09b63d30187a5ff143bbc5870ad3489c656d6e4295fddcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDA1 5672 bytes
font_01_sfnt_off0000e0e0.bin
30df3220d3df890e993c6a8d3542507bd45c60b7acd94985d60dd8ae626f6242		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0E0 11156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.