Malicious PDF — malware analysis report

Static analysis result for SHA-256 60486d53290d0f68…

MALICIOUS

PDF

99.6 KB Created: 2021-03-19 11:00:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89f921d9d8d9461a9b049cfa674bfed3 SHA-1: b84b9d66022dfee16ccd711a4c3b085ed54f009a SHA-256: 60486d53290d0f68e2a8629a8b42385c01a337e9c96840168ff1974ddf236fba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a lure related to a 'robotic vacuum cleaner india demo' and embeds multiple external links, including one to 'baarspo.ru'. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or distributing further malware. The presence of embedded links and the nature of the lure suggest an attempt to trick users into navigating to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=robotic+vacuum+cleaner+india+demo
    • https://cdn-cms.f-static.net/uploads/4465277/normal_601570dd9bdd5.pdf
    • http://lerawutevokaj.iblogger.org/5713890443.pdf
    • http://xokodiraki.22web.org/66780298061.pdf
    • https://static.s123-cdn-static.com/uploads/4493553/normal_5fce9651d8ee2.pdf
    • https://cdn-cms.f-static.net/uploads/4410201/normal_5fd3853272550.pdf
    • https://cdn-cms.f-static.net/uploads/4404750/normal_5fd3325f5ce09.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9526c93a-d340-4dca-b5fd-2864ff0888c4.filesusr.com/ugd/4c3d6a_f2e053a7b42e4d7e9aca0e0247a1d507.pdf?index=true
    • https://ecf8b3bd-8201-449f-a39c-156acd88681e.filesusr.com/ugd/97634b_0e59d19bd0b8483c83e48a7e1b1ba3f0.pdf?index=true
    • https://ff0b3df2-dc61-4aeb-9024-93fa9b5bc175.filesusr.com/ugd/aa14a9_2cdee484c4e345548b7bfe0f0de4565c.pdf?index=true
    • http://wofeginu.rf.gd/biographical_narrative_example.pdf
    • https://d04c2b29-3777-4fe6-aaa9-ab96f87c3324.filesusr.com/ugd/43eb95_d55bb6f769814d71b4c43db6f2a542c9.pdf?index=true
    • https://0e8f88b9-656e-4b05-9cd8-8bd477f85547.filesusr.com/ugd/95b9ea_ca62b13fe6e7467096f0b8675439259f.pdf?index=true
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_624cb56fa597469cad7339c26f75a718.pdf?index=true
    • https://be1b941d-c88c-475c-9260-a39c9d088d9d.filesusr.com/ugd/5c562d_1237f5d3e0c4470897dd947a24a31300.pdf?index=true
    • https://57fc24c6-ba7c-430a-bdae-05304608b610.filesusr.com/ugd/bc9c68_a1cc7b17bd88426ea43cc289d2d6fa76.pdf?index=true
    • https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_d2446831f74547ec888caaf97275da4c.pdf?index=true
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_396e881f25fc45068b4a094d0ca5b239.pdf?index=true
    • https://d525ee04-2a40-494f-8ba9-fee52f7b18ee.filesusr.com/ugd/8b8e24_c33f8cf585f146cca524a5e2b055178c.pdf?index=true
    • https://f38be386-5799-403b-9303-fb121113655a.filesusr.com/ugd/6f1aa7_903fa75a929946aaaefb289eca46a386.pdf?index=true
    • https://734e8db3-b9db-457c-abaa-08c06218e7ae.filesusr.com/ugd/f6bb82_4a0af07a0e5d49d280e30e97ecaee136.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001359b.bin
c9800ab6aa85974ec3834b8219d0607b5e53998c8203b2999a517bcbcda51b89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1359B 5116 bytes
font_01_sfnt_off000146f6.bin
9321d92cdd1e8acbd9248c9b44454a41c328d4adb3fea77cf45a107cce604be1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146F6 10516 bytes
font_02_sfnt_off00016b29.bin
2732c78df68b4531e26da51a256f0f9ab881cb8a96d1886ade34872d88eeece3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B29 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.