Malicious PDF — malware analysis report

Static analysis result for SHA-256 57228184528e2f9a…

MALICIOUS

PDF

83.2 KB Created: 2021-04-07 03:22:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0784d80f722f75237eed12f762c1377 SHA-1: d4c45a611fe729e205c1d6cbfe67a59c7bebcbf6 SHA-256: 57228184528e2f9ad7a620b6076bf3c8fc3eb95b1e06788da6e10af7d1ac9624
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many pointing to PDF files hosted on various platforms, suggesting a link farm or SEO poisoning tactic. The primary URL, 'https://fokemale.ru/award?keyword=acetil+carnitina+pdf', appears to be the entry point for this network of links. While no scripts were explicitly extracted, the nature of the PDF and the extensive linking strongly indicate an attempt to redirect users to malicious or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=acetil+carnitina+pdf
    • https://static.s123-cdn-static.com/uploads/4389084/normal_6008cc90247b9.pdf
    • https://cdn.sqhk.co/dagizonu/eqoia2S/66376172686.pdf
    • https://cdn.sqhk.co/rorajakura/gv0hfV4/infinite_flight_simulator_mod_apk_latest_version_download.pdf
    • https://kexiwiwimibip.weebly.com/uploads/1/3/1/3/131379584/zorux-dobigam.pdf
    • https://cdn-cms.f-static.net/uploads/4458852/normal_602ace382a253.pdf
    • https://tekitoloveda.weebly.com/uploads/1/3/1/0/131070611/bosetide.pdf
    • https://jopakawinotu.weebly.com/uploads/1/3/1/4/131407654/3c7c69f6.pdf
    • https://nevomunetis.weebly.com/uploads/1/3/0/7/130740414/fb4c4dc456000.pdf
    • https://romugazasemagop.weebly.com/uploads/1/3/4/8/134897733/dabujokilas_weravejut.pdf
    • https://cdn-cms.f-static.net/uploads/4426063/normal_5fd927843a517.pdf
    • https://wiwofuda.weebly.com/uploads/1/3/2/3/132303082/6899480.pdf
    • http://vorecan.fun/68534888423dfe6n.pdf
    • https://tifowufiwadoxi.weebly.com/uploads/1/3/4/0/134098290/dibivo-josoro-bisafilugonoped-pejirorojemif.pdf
    • http://cmb-accueil.com/damuzotimajupv3uwq.pdf
    • https://static.s123-cdn-static.com/uploads/4368497/normal_5fe50cee523b0.pdf
    • https://cdn-cms.f-static.net/uploads/4381751/normal_6038385644fc2.pdf
    • https://cdn-cms.f-static.net/uploads/4380088/normal_60683518588c8.pdf
    • https://static.s123-cdn-static.com/uploads/4461773/normal_5fe122c2b072e.pdf
    • https://kujivorel.weebly.com/uploads/1/3/0/7/130776875/mezuluxolar.pdf
    • https://cdn.sqhk.co/tosobulig/KAjfjfm/pnm_pure_nintendo_magazine.pdf
    • https://tuxufinuzeleki.weebly.com/uploads/1/3/4/7/134737217/lerajila-velurijurulo-fuvojudotak.pdf
    • https://cdn.sqhk.co/sixerusesebu/zibibjg/93906822225.pdf
    • https://cdn-cms.f-static.net/uploads/4393911/normal_60128108602ae.pdf
    • https://migawonakizize.weebly.com/uploads/1/3/1/6/131637147/9475964.pdf
    • http://vykupavto54.ru/kabepixafebovedujemfk1tp.pdf
    • https://cdn-cms.f-static.net/uploads/4402963/normal_604629aede6c3.pdf
    • http://usesalon.xyz/google_chromium_free_for_windows_735w3b.pdf
    • https://cdn.sqhk.co/nimabugokofa/ge6jjgg/nike_icon_clash_convertible_shell_track_jacket.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100f5.bin
d5244ec59f68474a079a0ee1ff5dda41eb40b237ae7b03d13a2d65c54c6eabcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F5 4960 bytes
font_01_sfnt_off000111eb.bin
2d6a5248f13e9fe030d3c0098dd9537108e58f9dc9989c9e78014d707578e44b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111EB 14448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.