Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bae0a35268ec00d…

MALICIOUS

PDF

87.5 KB Created: 2021-03-24 18:02:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 25e07abd3165c05032a4f8805da24708 SHA-1: 280da09f8cbaa2fb255441a8eb9a2ed6eac0e060 SHA-256: 6bae0a35268ec00de124033f0dd4f03edc3459e3e8bd08c231631c633ce9b798
206 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a link farm designed to redirect users to potentially malicious websites, as indicated by the 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics. The primary URL, 'https://druttle.ru/strik?utm_term=how+to+get+a+replacement+ebt+card+in+ny', suggests a phishing lure related to EBT card replacement. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=how+to+get+a+replacement+ebt+card+in+ny PDF link annotation
    • http://gonunimob.iblogger.org/beaufort_wind_force_scale.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_c036def459a84f42b39a78b8432e50de.pdf?index=trueIn PDF document text
    • http://tikimolanevi.rf.gd/cessna_172_preflight_checklist.pdfIn PDF document text
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_8a05b0dac1ce4079a618afb3611c4f3d.pdf?index=trueIn PDF document text
    • https://eee5dff6-7331-416e-acdf-593d0c386862.filesusr.com/ugd/21e9e0_b66d5a154cbb41babb7b9bee84e8f2dc.pdf?index=trueIn PDF document text
    • http://letozin.rf.gd/7666967204.pdfIn PDF document text
    • https://8f6f9f04-f977-4239-955d-f6aecf2dd879.filesusr.com/ugd/81cd61_16c063b81e4a4341a9cfba9d0f457a19.pdf?index=trueIn PDF document text
    • https://0dea665b-aaaa-42f3-a52c-f86f0fd1efa2.filesusr.com/ugd/8b9728_a8b50deca8d343e8ae253e4066a26686.pdf?index=trueIn PDF document text
    • https://e40da922-b0e4-44be-9878-2d4898ccab21.filesusr.com/ugd/3a38e0_39d7f52e5fcf42b799c97809a5e707d2.pdf?index=trueIn PDF document text
    • http://kepozajadog.rf.gd/ambiguous_genitalia_adalah.pdfIn PDF document text
    • http://morikid.epizy.com/turning_challenges_into_opportunities_example.pdfIn PDF document text
    • https://50bf384a-eeac-4f26-a262-e2ba1a5e00ba.filesusr.com/ugd/17159d_d027e10b57614473995497f3ad96cf9d.pdf?index=trueIn PDF document text
    • http://wuwedutukuw.epizy.com/vufasu.pdfIn PDF document text
    • https://69df74eb-9f83-488d-97bb-abb55063df61.filesusr.com/ugd/f34323_5701182bd60c4c2b8feffcb06115f57c.pdf?index=trueIn PDF document text
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_f6422ecdcacf40be848e60f97915f494.pdf?index=trueIn PDF document text
    • https://c0cead0d-5248-483d-940e-95cc3acd9bde.filesusr.com/ugd/20d83a_ddd354e1a8bb478a8bf5b7d95886b307.pdf?index=trueIn PDF document text
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_68e8e7da38f3428cbdf834bd597e4655.pdf?index=trueIn PDF document text
    • https://146c8b6c-0b46-450b-8ed0-b45f1e2a4974.filesusr.com/ugd/b58d21_af0e185fa6d4442ea5e951c9730dcd50.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB4E 5508 bytes
SHA-256: 03c6a3db90f372d78694591683d0aa806923db9a064078cf0e2b9449a1836ae7
font_01_sfnt_off00010e06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E06 11696 bytes
SHA-256: e99520f3a99bf58a07c5d171a2d1625e9013ab2ade68142b154db6869ed24e31
font_02_sfnt_off000135fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135FD 17688 bytes
SHA-256: fcea0cbee3e88e096b52ccf0f97d898d2563c2bc8899a2b2a8594a9ca2bdadae

Open this report in the interactive analyzer, or submit your own file for analysis.