Malicious PDF — malware analysis report

Static analysis result for SHA-256 55056674a503c4f1…

MALICIOUS

PDF

77.9 KB Created: 2021-03-29 17:27:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf1efbcfa945339a48c483effca4188f SHA-1: a37b41fa9986d65b52ac04eac851991b97fcde70 SHA-256: 55056674a503c4f14ccfa0440e118298e6d6be19440fa030dbdce05b98b9847b
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous external links, including one to 'dafemum.ru', which is flagged as a potential phishing or malware distribution vector. The 'SE_CALLBACK_LURE' heuristic suggests a phishing pretext, likely aiming to trick users into interacting with malicious content. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' further supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=baby+trend+sit+and+stand+lx+stroller+manual
    • https://cdn-cms.f-static.net/uploads/4409246/normal_600a50f34aebf.pdf
    • http://ionatr.space/kofadobopawasilikevawlyui.pdf
    • https://susokeruno.weebly.com/uploads/1/3/4/6/134656617/karekaxokoxin-nilow.pdf
    • https://static.s123-cdn-static.com/uploads/4484993/normal_5ff272c371ee6.pdf
    • https://cdn-cms.f-static.net/uploads/4471513/normal_5fe9963c5b55b.pdf
    • https://bobifadilow.weebly.com/uploads/1/3/5/2/135295989/ff78ad5b0b71.pdf
    • https://static.s123-cdn-static.com/uploads/4418379/normal_5fc9faefe07ad.pdf
    • http://souve.me/dukinerotajifoda4ei8d.pdf
    • https://dijibelusubif.weebly.com/uploads/1/3/4/8/134871127/2c214e7494.pdf
    • https://static.s123-cdn-static.com/uploads/4496571/normal_5ff62f421a034.pdf
    • http://return-0.com/mudowefavejalagedisexa7s1nj.pdf
    • https://mapavafamaluri.weebly.com/uploads/1/3/5/9/135999294/depijuvuvuxo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3a5aa097-47f9-475f-9992-83bceef25cc3.filesusr.com/ugd/f55bec_ddea31a5086b49c18ecd1f2f81a47103.pdf?index=true
    • https://uploads.strikinglycdn.com/files/22c1abbc-3165-4305-b97a-1eb83209ad93/echo_srm_230_parts.pdf
    • https://917ed8d3-8a9f-4c5c-a3ad-554e533308ad.filesusr.com/ugd/a4e402_8ab91541d07b49e4ab4742aa185e4e3f.pdf?index=true
    • https://176fe727-baa2-4f6f-8ab0-cddcd97ecb74.filesusr.com/ugd/45df28_9d0e670b88a142bf86b5e6e51510606d.pdf?index=true
    • https://b24036c1-08f6-4d5b-b8c9-f4c47f26e437.filesusr.com/ugd/ae9acc_201a4ad92050477b968198a49809f550.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2bdaa83b-5c9e-4f68-b075-a18f5b54ed6e/japovenot.pdf
    • https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_a58d8f388e5a40b8853f88eddfeb19ab.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8f1a2bbf-c5eb-4da4-b61a-b50fc45fc677/porowoluve.pdf
    • https://uploads.strikinglycdn.com/files/95827232-2245-4966-822e-1556ac028f09/how_to_calculate_calories_in_homemade_food.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f212.bin
b4d709c4f4bb1622040cf4d049952e2122dacd4393cfff3c8acb94e974892bc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF212 5328 bytes
font_01_sfnt_off00010423.bin
1b0d616bd23bcb59cf8c8efb89cd641c1c35b420a02fc3515f287a74b64d28c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10423 11252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.