Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e263b83c67c235f…

MALICIOUS

PDF

75.3 KB Created: 2021-04-10 00:46:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f9fdf9820bb8bb974dd281dcf0fe965 SHA-1: 69d4c15e108708722158dc8e876c3fa11e7269f1 SHA-256: 6e263b83c67c235fc28947a9aeb54f9935b5fbb15d65cad37b46f081aa2ea23a
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external URIs, with one prominent link pointing to 'https://druttle.ru/strik?utm_term=how+to+refill+a+speed+feed+trimmer+head', suggesting a phishing or malware distribution lure. The presence of a 'download button' heuristic further supports the idea that the document is designed to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=how+to+refill+a+speed+feed+trimmer+head
    • https://cdn-cms.f-static.net/uploads/4471513/normal_602f1d5bcfe5f.pdf
    • https://static.s123-cdn-static.com/uploads/4366666/normal_6005981812f5a.pdf
    • http://fawanajaxape.22web.org/basilugetosubobevosu.pdf
    • https://wejafivikime.weebly.com/uploads/1/3/0/9/130969279/59976e62f153.pdf
    • https://cdn-cms.f-static.net/uploads/4375891/normal_5fe76f0991426.pdf
    • http://palubofapejuraw.mywebcommunity.org/jiteserodapidigakaref.pdf
    • https://cdn-cms.f-static.net/uploads/4393632/normal_606df31282da4.pdf
    • https://povemiloten.weebly.com/uploads/1/3/4/6/134608376/nurakafuzof.pdf
    • https://mazerobuwi.weebly.com/uploads/1/3/1/3/131398334/wutasagetura.pdf
    • http://pefiworawodud.mypressonline.com/sorawifekopezune.pdf
    • https://rakawixedisika.weebly.com/uploads/1/3/5/3/135324789/5892156.pdf
    • https://static.s123-cdn-static.com/uploads/4469136/normal_5fef87b96a203.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sovagawaz.rf.gd/3023803370.pdf
    • https://s3.amazonaws.com/zategafozasiru/wuzisufa.pdf
    • https://s3.amazonaws.com/moduluzuxikari/percy_jackson_the_lightning_thief_2_full_movie_online.pdf
    • http://tikavufuku.rf.gd/97976854691.pdf
    • http://zilisidojaze.myartsonline.com/debatumimebadugamijonezas.pdf
    • http://sajekitix.rf.gd/97808517505.pdf
    • http://nurejorafu.epizy.com/sourceforge_creator.pdf
    • http://vevojadiren.epizy.com/xodilanirulexinalemotaf.pdf
    • http://benigef.rf.gd/is_jlab_audio_good.pdf
    • https://s3.amazonaws.com/vuzotisenixava/making_worksheets_engaging.pdf
    • https://s3.amazonaws.com/wotodedaruzuk/74219612353.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8a4.bin
96a666c370a65b7154c0b1180a24bef941967f4d6ae7ed92e7561f0df1b05d5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8A4 5336 bytes
font_01_sfnt_off0000faad.bin
6071fb2b320f547bca59ff7765f808c234ec89a6813cb8ccf0f7d68a92c613bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAAD 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.