Malicious PDF — malware analysis report

Static analysis result for SHA-256 560c5d38d184be56…

MALICIOUS

PDF

83.7 KB Created: 2021-03-24 22:02:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7dba1ee118083d93b231d130a8a9a956 SHA-1: 72e26724f220211720b3d232b77666baa1a318f1 SHA-256: 560c5d38d184be565582da2d5949a01185afb6306e2c98c7fd85c34f740d2999
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of a large number of external links, particularly those with numeric slugs, suggests a link farm or SEO manipulation tactic. One of the embedded URLs, 'https://druttle.ru/wix?keyword=go+sms+pro+apk+mirror', points to a potential lure for users seeking specific software, which could be a phishing or malware distribution vector. No scripts were extracted, but the PDF structure itself is being leveraged for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=go+sms+pro+apk+mirror
    • https://cdn.sqhk.co/letarezetap/Gijjhq7/vepoxonojimugapotap.pdf
    • http://natiral.space/8267800380wm2il.pdf
    • https://pinosapop.weebly.com/uploads/1/3/4/1/134131344/poxibuvotuz_xusupixofexad_pupasuve_fazaline.pdf
    • https://cdn.sqhk.co/semexixok/hgjgjaF/cut_up_lyrics_generator.pdf
    • http://cabinetsop.xyz/what_is_the_best_55_samsung_tvky838.pdf
    • https://cdn.sqhk.co/wamitavixitu/gehihgs/bandhan_song_pagalworld.pdf
    • https://katesagi.weebly.com/uploads/1/3/4/8/134864962/dapezubogipo_posifomijelew.pdf
    • https://cdn.sqhk.co/timafewa/hidF9vv/ice_cream_cone_calories_dairy_queen.pdf
    • https://zidifupo.weebly.com/uploads/1/3/4/4/134475425/1851192.pdf
    • https://metesanej.weebly.com/uploads/1/3/1/8/131858044/momen_lituwamusitu_pegapa_dimegogetolixot.pdf
    • https://cdn.sqhk.co/zinoliwomi/tibYiar/xunifariliwovomuletufum.pdf
    • https://cdn.sqhk.co/vixemujomu/eNnV02A/20324640486.pdf
    • https://xeludelibiw.weebly.com/uploads/1/3/4/3/134371965/9f145.pdf
    • https://mutolumikiwow.weebly.com/uploads/1/3/1/8/131872082/defugobenel_lojopadu.pdf
    • https://rerutafedebe.weebly.com/uploads/1/3/2/8/132815298/f31df1b26bc.pdf
    • https://fupuvoriru.weebly.com/uploads/1/3/4/4/134494751/filugum_nopedulidija_ruboponafek_firemewo.pdf
    • http://vquest.website/what_is_the_meaning_of_female_pimple_in_hindipngvu.pdf
    • https://cdn.sqhk.co/benibavagoge/hhHgjjd/37332870808.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dudowowadoz.rf.gd/beethoven_moonlight_sonata_sheet_music_amazon.pdf
    • http://sawopirorafo.rf.gd/assignment_abroad_times.pdf
    • http://rinubef.epizy.com/bladeless_wind_turbine_seminar_ppt.pdf
    • http://firabano.epizy.com/lisa_simpson_coffee_meme_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e88c.bin
680343e330b08116f2ab2bad50a36d95ceb21c8a941837fa4b81fc0c5f09c780		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE88C 3048 bytes
font_01_sfnt_off0000f361.bin
f148175f19d2832ebff2a2fdb3c5c0ed215c749ba5da82a07a5df78fffcddc6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF361 5028 bytes
font_02_sfnt_off00010468.bin
4a2736b748a95fd479a709baa22281246b58bbdfeb08f832a764e33c7137f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10468 11460 bytes
font_03_sfnt_off00012b4b.bin
b7f82d2f7553557e0e94bae4fbbfa034f866ab56970e2f6ca5ebdbc13b4b5e5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B4B 16264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.