Malicious PDF — malware analysis report

Static analysis result for SHA-256 65e7155479bd83ec…

MALICIOUS

PDF

71.7 KB Created: 2021-04-01 01:03:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24bf88096e39499e960160f8e3f0c20e SHA-1: 87e4f36fe6ad50e6292cb651d8f0b77dede4ffeb SHA-256: 65e7155479bd83ecb44b88c6b049cd0198bcf496805784e859e669bf92f68f3f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains a large number of external links, many of which are embedded within the document's structure, suggesting a link farm or redirection mechanism. The primary identified URL, 'https://druttle.ru/wix?keyword=ironman+4000+inversion+table+manual', appears to be part of a SEO spam campaign, likely used to disguise malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=ironman+4000+inversion+table+manual
    • https://cdn-cms.f-static.net/uploads/4403540/normal_6037967982737.pdf
    • https://cdn-cms.f-static.net/uploads/4459921/normal_5fe76c0dd0271.pdf
    • https://static.s123-cdn-static.com/uploads/4367656/normal_5ffec1a8d4bdc.pdf
    • http://jivusibofonefud.mygamesonline.org/kunisofaxupufozubi.pdf
    • https://cdn-cms.f-static.net/uploads/4487626/normal_60549e88a614e.pdf
    • http://mofemaruwek.sportsontheweb.net/agile_testing_istqb_tester_extension_certification.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_267b864e235b48b8b738efd78245f930.pdf?index=true
    • https://ab737b70-891a-4a1f-8db9-ee548211cb31.filesusr.com/ugd/ce14f3_50fa42d8e7cd40ccb6c9018b8091509d.pdf?index=true
    • https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_dec08b47bbab4751825691b0ccf2cde8.pdf?index=true
    • https://0ca3454e-05ac-49fc-8d00-644b1af7be3c.filesusr.com/ugd/8bf3fc_8bf8b2389a2e49c9b82ea06769e973f4.pdf?index=true
    • https://s3.amazonaws.com/lewuli/25502751860.pdf
    • https://923a8ca3-316b-4844-b38f-9bc955ad4852.filesusr.com/ugd/312e0e_2bbc0d21682747ec8363d2bf7cc34fc4.pdf?index=true
    • http://wetukanezin.atwebpages.com/mepezozepikijuwigesul.pdf
    • https://387a498e-9551-4239-9507-3183ba214552.filesusr.com/ugd/cd403b_5d39ef9f3355407f9d9099664b93a32d.pdf?index=true
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_7c12e41ac7344bbc8640259b9e8692d5.pdf?index=true
    • https://f110cc6a-49d6-427c-9ab6-a3a4d323b004.filesusr.com/ugd/9e53d4_c7586e3116cd496784844cb680e412e2.pdf?index=true
    • http://luregaw.onlinewebshop.net/jakozudafebupakara.pdf
    • https://cfc603e6-7cd4-4c42-812b-9722deb80ae4.filesusr.com/ugd/0e9fc2_8b6059ac2e554afba1f7bdef4cbed344.pdf?index=true
    • http://sinusisokopex.atwebpages.com/un_curso_de_milagros_leccion_34.pdf
    • https://2c549fd3-bbcc-4e43-aea5-84609313cfd4.filesusr.com/ugd/c162b3_8476d6ecbda548439e13b2df9969cc81.pdf?index=true
    • https://bf240a57-fb7b-4fff-ab1d-82e4fa583cae.filesusr.com/ugd/0182ef_370a4dab24ea4237b466ee761027706f.pdf?index=true
    • https://e25b5f36-ee09-4010-8803-019b2853a23b.filesusr.com/ugd/c34eac_158b9c1eda864ec9bfe78de1fcfa130f.pdf?index=true
    • https://s3.amazonaws.com/pibajuwi/hydraulic_oil_coshh_data_sheet_uk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d94d.bin
076ba081f175aef5ffafb6869226f6873bf5fb242bdae0b3fbcb9917d18dd0cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD94D 5196 bytes
font_01_sfnt_off0000eae2.bin
a01693a4abdc862b987c5683ba9128e1cac59713e4e3f3f34e37241b774900e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE2 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.