Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b989fcc736d7759…

MALICIOUS

PDF

82.4 KB Created: 2021-06-06 01:53:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb196e3f7eaaaa15bcd47d8d87a5cf5b SHA-1: b0e136aa2ce5b219f6efae1402258a7d89f7cd91 SHA-256: 6b989fcc736d7759b836ed51df06319b2859bba1be10b66dbc7701c14ab78c33
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to SEO-optimized PDF farms, suggesting a link-farming or phishing campaign. The primary malicious URL identified is https://midufefew.ru/wb?keyword=little%20fires%20everywhere%20chapter%2019%20summary. While no scripts were explicitly extracted, the heuristic PDF_SEO_LINK_FARM indicates the document's structure is designed to distribute links to other potentially malicious or spam content. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wb?keyword=little%20fires%20everywhere%20chapter%2019%20summary
    • https://nekizinatuzi.weebly.com/uploads/1/3/4/3/134325328/jubigasukenu_mawami_wixirogi.pdf
    • https://cdn-cms.f-static.net/uploads/4366637/normal_603685eff1695.pdf
    • https://cdn-cms.f-static.net/uploads/4384152/normal_60bbcdf9c9c65.pdf
    • https://tarivoda.weebly.com/uploads/1/3/4/6/134693378/88115.pdf
    • https://cdn-cms.f-static.net/uploads/4459325/normal_606bcf02651b3.pdf
    • https://cdn-cms.f-static.net/uploads/4423453/normal_60113664f313d.pdf
    • https://pobasejedewepiz.weebly.com/uploads/1/3/4/0/134017346/kurovikurodor-geted-wurigewiko.pdf
    • https://mitexasax.weebly.com/uploads/1/3/1/8/131857270/sulub.pdf
    • https://cdn-cms.f-static.net/uploads/4381082/normal_603eab0817e74.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6e555af0-be44-4f48-9fe7-c5660b162ed9/wenolufidirasixidasesab.pdf
    • https://uploads.strikinglycdn.com/files/dd0743ad-5da2-4eea-81c7-28136ec077db/starfinder_adventure_path_reviews.pdf
    • https://uploads.strikinglycdn.com/files/373e482f-7145-4c8b-b951-c6f8d6873065/75795166645.pdf
    • https://uploads.strikinglycdn.com/files/7ae8c3a5-7d91-490c-bbec-8be72017647b/a_cup_of_tea_idiom_origin.pdf
    • https://uploads.strikinglycdn.com/files/a42651b1-205c-40bf-bc54-3bf4a6cf8a21/modern_calligraphy_font_free.pdf
    • https://uploads.strikinglycdn.com/files/39efb9a0-eef9-4726-bec5-2a7edcde48c4/dunafusomakevakuvav.pdf
    • https://uploads.strikinglycdn.com/files/8b573e55-dc81-4b42-9b10-ff5a122b9aa9/rejokovudifefofavusufujod.pdf
    • https://uploads.strikinglycdn.com/files/68863e3f-c220-4301-8868-50adda8ff645/when_we_pray_lyrics_tauren.pdf
    • https://uploads.strikinglycdn.com/files/b621a046-8778-4617-9acd-f29056170752/free_simple_finite_element_analysis_software.pdf
    • https://uploads.strikinglycdn.com/files/8c583aaf-adc5-43e6-b546-5b9bad39b9c9/how_to_clean_maytag_washer.pdf
    • https://uploads.strikinglycdn.com/files/b2d0fb0e-660c-4db1-8094-0f7b84441698/5b_specific_heat_capacity_and_latent_heat_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/9e9f7968-9e35-4572-b7ca-5843a848ad12/80373504918.pdf
    • https://uploads.strikinglycdn.com/files/2252dbd2-1ebd-4640-8bed-ed91ad637645/advanced_algebra_linear_equations.pdf
    • https://uploads.strikinglycdn.com/files/bb838ce4-3a70-4aa2-80e8-e8519e8fe8a9/bulupaxaw.pdf
    • https://uploads.strikinglycdn.com/files/e48e1fa8-12cc-4bec-b84f-59e6e6b74ce2/dragon_naturallyspeaking_13_premium_serial_number.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010352.bin
aa05232f87e3598f7b457e3fe7c9741244fb85f447bf8b4e2029c3eff2ad7c4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10352 5660 bytes
font_01_sfnt_off0001168f.bin
301575cfad0ad3953b4495f25454f4994fcb0812a4da525776b85ef289da6ed3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1168F 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.