Malicious PDF — malware analysis report

Static analysis result for SHA-256 5529f9c67c0aa81b…

MALICIOUS

PDF

87.0 KB Created: 2021-04-30 04:10:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87b238aff95206486a9b16c8ba9789fe SHA-1: d735ee154d7606ce788509e72eb49aaedb8e20cd SHA-256: 5529f9c67c0aa81bf361f1ef158ed9ce7c997d01eb2c23e28c456e899f756555
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and a machine learning classifier, specifically flagged as a phishing trojan. It contains a large number of external links, with the primary one being `https://dugedepap.ru/strik?utm_term=in+what+order+should+i+read+the+selection+series`. The PDF also embeds a link farm of 30 external PDF documents, suggesting a coordinated effort to redirect users to potentially harmful content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=in+what+order+should+i+read+the+selection+series
    • https://cdn.sqhk.co/fusevesapime/dkO5qii/febuteteraruwagumedokud.pdf
    • https://cdn.sqhk.co/wuvevalor/OgfcMge/97545267639.pdf
    • https://cdn-cms.f-static.net/uploads/4482009/normal_602ebbae6a264.pdf
    • https://static.s123-cdn-static.com/uploads/4393488/normal_5ffeaa5bd7e52.pdf
    • https://cdn.sqhk.co/vosizijanad/akhajcC/party_hard_go_mod_unlocked_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4426832/normal_600c7a6fd9fe9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3e3188f7-d9e9-48da-9af6-4e6760718ee0.filesusr.com/ugd/4f7562_2f908d0517304f82847297b2ad2e08e7.pdf?index=true
    • https://c504e2ef-f928-4e80-b5b1-fc05046f432e.filesusr.com/ugd/247f25_0f2a0eb563e049d2880b154610bd37ad.pdf?index=true
    • http://josejutolaxof.rf.gd/86665340046.pdf
    • https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_0db112b1f95b44e7838a213e6ff2dfe8.pdf?index=true
    • https://1b3fde16-7575-45ba-b40e-8916c64185ca.filesusr.com/ugd/8874e8_91362f423cca4ddd82a5a996ffcba273.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76614052-9daa-4f3d-8712-cd1bfb255bff/53233250368.pdf
    • https://uploads.strikinglycdn.com/files/f0cb1009-41a9-4054-afa2-ed5efa8f8498/how_to_reset_duo_therm_thermostat.pdf
    • https://9e2901ea-5d25-41a5-867c-54d0774c6e48.filesusr.com/ugd/4d0f37_a93205d05024457d86749486a9b096c0.pdf?index=true
    • http://pifajizimaguda.rf.gd/free_calligraphy_sheets.pdf
    • http://wisotujapu.epizy.com/fujesilogis.pdf
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_59b63cca6cee44528c5adeb27536fbe3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f34dbfed-8825-4623-a29e-975489eddcc1/53227320702.pdf
    • http://tekojexabutixas.epizy.com/88579789260.pdf
    • http://retugizi.rf.gd/sebopupirafitoliki.pdf
    • https://uploads.strikinglycdn.com/files/a379b2d6-090e-4bc6-bea2-bb02fa017bb8/84663323451.pdf
    • https://d6aab468-caab-4d9e-910f-d3bf64ae4104.filesusr.com/ugd/5438e3_cd2da3ec1cb14dccaef4698231c4b11f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001155f.bin
4246a0d5f2ddf158604c9e6e932abe32dbea35de0229aa979007f431ba422a21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1155F 5056 bytes
font_01_sfnt_off0001269c.bin
2488351deb811a3b017370cdb9117a831f39a50d90e4eaea2ae9ba2f6e49f28d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1269C 11640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.