Malicious PDF — malware analysis report

Static analysis result for SHA-256 6dcdf47e8e4c3de6…

MALICIOUS

PDF

70.3 KB Created: 2021-04-04 20:14:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fedf03d8cce5495c1324e9cbabecc9c SHA-1: dd179d0ca4a509773983cc34361ea09f3a1e1838 SHA-256: 6dcdf47e8e4c3de6c754ee389ef6c96571b82247b808f018be282b23dfe890c9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, with one identified as a potential phishing or malicious URL. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a large number of links, suggesting a malicious intent to direct users to potentially harmful content or for SEO manipulation. While no scripts were extracted, the presence of numerous external links and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest a phishing or malicious content delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=appolum+paranjille+song
    • https://cdn-cms.f-static.net/uploads/4494160/normal_6021a33aaead2.pdf
    • https://cdn-cms.f-static.net/uploads/4417664/normal_603e34cbaebca.pdf
    • https://static.s123-cdn-static.com/uploads/4375077/normal_5fdf8035ab066.pdf
    • https://static.s123-cdn-static.com/uploads/4481509/normal_5fc6b0f70f05e.pdf
    • http://watercart.ru/madabibajedilotarapus5dltt.pdf
    • https://cdn-cms.f-static.net/uploads/4449184/normal_601ca7e7e7553.pdf
    • https://cdn-cms.f-static.net/uploads/4366339/normal_5fd79e78b220b.pdf
    • http://amandeepsadyora.com/mizetunekebumuloki68hne.pdf
    • https://static.s123-cdn-static.com/uploads/4366633/normal_5fc691f6cc24c.pdf
    • http://myimperfectmomlife.com/15018191375ygrpz.pdf
    • http://arnautmebel.ru/mejanegomumej0oa20.pdf
    • https://cdn-cms.f-static.net/uploads/4478687/normal_602cfa10d09cd.pdf
    • http://select-get.top/89842590572muuly.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b5c4f4dd-ae1f-4f6a-908c-f463551224e4.filesusr.com/ugd/dafd60_b5523032a85d4572abf8f6aead026306.pdf?index=true
    • https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_fc3e0f33c8dc4264992a3ec35beff4bc.pdf?index=true
    • https://d6b7b3c7-8429-4d82-9d75-5d5d09e763cc.filesusr.com/ugd/a8c229_6d888c1d7c4c4e80a0b482d5cc725a58.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a7ec760f-db97-43d9-a825-cf2af11fc6f5/how_accurate_is_omron_fat_loss_monitor.pdf
    • https://b01cffea-7a05-49e8-9781-04202a21c04b.filesusr.com/ugd/d5d855_3e7d323a55b04f808ebb49357313da0d.pdf?index=true
    • https://s3.amazonaws.com/gulapore/dewalt_dw708_parts_breakdown.pdf
    • https://uploads.strikinglycdn.com/files/64a6b8d0-548a-4d67-80f6-7acdf1e5b8bc/bufasesifuxi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d514.bin
8daaf922c8a3263b1e00b351b9ff0e6b40df09805b082949c07fd97d5baae455		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD514 5204 bytes
font_01_sfnt_off0000e6b1.bin
a80706621c3d5d3a258dbb3a14e21c94f91592f58052947e6a77083c150391ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6B1 11008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.