Malicious PDF — malware analysis report

Static analysis result for SHA-256 64a4e3768b174262…

MALICIOUS

PDF

80.2 KB Created: 2021-04-10 09:34:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94e47adfc7dc1f83c7fe68f76c8fae7f SHA-1: 9deb85e033cf833da0a1cdb1fc205d22bdec6c70 SHA-256: 64a4e3768b174262b6812725faf892ed7a4211ad10d419ae3e4be01779fafd64
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, flagged as a link farm, and is detected as malicious by ClamAV and an ML classifier. The primary URL, 'https://pelibifir.ru/strik?utm_term=how+to+write+dialogue+for+short+film', suggests a phishing or malware distribution attempt disguised as helpful content. No scripts were extracted, but the extensive link farm indicates a strong intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=how+to+write+dialogue+for+short+film
    • https://cdn-cms.f-static.net/uploads/4376404/normal_601001ccd4819.pdf
    • https://nefatalij.weebly.com/uploads/1/3/2/7/132740339/f4fdfaf48344.pdf
    • https://cdn-cms.f-static.net/uploads/4488807/normal_60336e0396289.pdf
    • https://cdn.sqhk.co/noneniwetav/jYmNhgb/ark_survival_evolved_update_august_2020.pdf
    • https://luwimejimidilen.weebly.com/uploads/1/3/4/0/134040945/d87c0b.pdf
    • https://cdn.sqhk.co/konidadelan/hjghXhj/92888467554.pdf
    • https://cdn.sqhk.co/senuziker/fZUHidT/17594657276.pdf
    • https://tulalesin.weebly.com/uploads/1/3/4/8/134876190/waxorad.pdf
    • https://renokogepebamon.weebly.com/uploads/1/3/2/6/132696434/bf3d4c235607.pdf
    • https://cdn-cms.f-static.net/uploads/4481662/normal_6041627c3ab3c.pdf
    • https://cdn.sqhk.co/zezinojox/47ijfKR/deep_loot_sinestra.pdf
    • https://cdn.sqhk.co/suxujaba/yjghgif/57183956023.pdf
    • https://dezuvatag.weebly.com/uploads/1/3/4/6/134667454/7707223.pdf
    • https://static.s123-cdn-static.com/uploads/4381529/normal_5fdd306344429.pdf
    • https://cdn-cms.f-static.net/uploads/4418001/normal_602341c65a8fd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tumuzu/41073838147.pdf
    • https://uploads.strikinglycdn.com/files/d837080e-865f-4ef0-ab51-d6d07b9ce7c4/what_is_the_meaning_of_complete_metamorphosis.pdf
    • https://68a74d12-89ac-4a94-b826-09ad332a30bf.filesusr.com/ugd/1a0392_ff87ae7bda934daa99c8a6f1674af9b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/94d098a2-156a-4316-937c-35c8f7784804/1000_number_chart_interactive.pdf
    • https://uploads.strikinglycdn.com/files/684c55cf-991b-4410-8732-b6a3fdb36e4a/tifotufin.pdf
    • https://s3.amazonaws.com/tuxenipup/5672436504.pdf
    • https://uploads.strikinglycdn.com/files/3af23a85-902a-44ad-bc28-fdf2151741e6/what_is_the_meaning_of_general_merchandise_store.pdf
    • https://69b3109a-7cce-4514-9193-d2106d9976ab.filesusr.com/ugd/3c2969_f971bb653fd2445f98d793027f77f7b5.pdf?index=true
    • https://s3.amazonaws.com/fizaxo/gpsc_class_1_2_2019_omr_sheet.pdf
    • https://1160a196-6e18-49bd-931c-438029629b47.filesusr.com/ugd/40338c_ea06f61a968a40379fa5c747af0c065b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/702da197-9b52-4eaf-adc7-57f85f35f8f1/sibodex.pdf
    • https://d1159ab4-cbf5-42eb-897b-83a5e94cd7da.filesusr.com/ugd/536122_dbb1de2064f84367adf5ae22325df852.pdf?index=true
    • https://728bf1be-24e3-4891-ba98-fedceca1a503.filesusr.com/ugd/3268c8_2a94de4db2f0428c90bf6d584743708f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa8c.bin
759f6c4872dacf68f07eb7d624f5499e15c89a666bab8344f80c483378954fc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA8C 5376 bytes
font_01_sfnt_off00010cb8.bin
ea39023d84f6c875d8e7046b184ca781ff24f335ce8b91a75e743dd5e6d31dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB8 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.