Malicious PDF — malware analysis report

Static analysis result for SHA-256 702979d2871b3e17…

MALICIOUS

PDF

82.7 KB Created: 2021-03-13 13:10:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf2a22c3cd3f1310bd70b70fe3968782 SHA-1: 9d1f38cb95711014ca32bdeadeb274103d89cb2c SHA-256: 702979d2871b3e17c37d498a10809e8c3fa95cfcd0863a5c5695bd479a9ed99e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm, indicating a large number of external links, with one prominent URL pointing to a suspicious domain. ClamAV also detected this as a phishing trojan. The embedded content, though heavily obfuscated, suggests an attempt to disguise malicious activity under the guise of a document analysis, likely leading to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=boxer+animal+farm+character+analysis
    • https://static.s123-cdn-static.com/uploads/4413701/normal_5fe3b1ff51201.pdf
    • https://static.s123-cdn-static.com/uploads/4418368/normal_5fcd7a4f5eaa3.pdf
    • https://moxigowa.weebly.com/uploads/1/3/0/8/130814106/0333185184fea.pdf
    • https://mutazodot.weebly.com/uploads/1/3/0/8/130874237/zesujel-kekekatisim-mutifiwe-jiropok.pdf
    • https://cdn-cms.f-static.net/uploads/4493569/normal_60192ea26de63.pdf
    • https://cdn-cms.f-static.net/uploads/4455174/normal_5fd12855a0ba7.pdf
    • https://cdn-cms.f-static.net/uploads/4413966/normal_5fd0fafadafa9.pdf
    • https://reravojune.weebly.com/uploads/1/3/1/4/131406269/vuwikejezupak.pdf
    • https://gefetejumifigo.weebly.com/uploads/1/3/4/6/134688955/mabibuno.pdf
    • https://static.s123-cdn-static.com/uploads/4405922/normal_5feb3254bea69.pdf
    • https://cdn-cms.f-static.net/uploads/4475194/normal_604060acac4a1.pdf
    • https://cdn-cms.f-static.net/uploads/4407100/normal_6023d5dce7c33.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://8c17aa34-c454-4d6c-a218-8929c845e329.filesusr.com/ugd/808cd0_e7f36f5307c14a319218b8f6f7190e16.pdf?index=true
    • https://s3.amazonaws.com/farowug/eeo-_1_component_2_reporting_requirements.pdf
    • https://s3.amazonaws.com/gelawiweza/xenoxevogobukusux.pdf
    • https://s3.amazonaws.com/lijopavexanuse/8731756262.pdf
    • https://s3.amazonaws.com/wuvepilamamuse/94237059576.pdf
    • https://s3.amazonaws.com/wazotojemov/fewabososo.pdf
    • https://37523d11-79cf-4eb3-ada4-f05de57c71ee.filesusr.com/ugd/275374_64fd831a35e945d9a89e974d26f850ca.pdf?index=true
    • https://s3.amazonaws.com/rubidokezive/xatunofowo.pdf
    • https://ba789de2-c385-43ee-b32d-a34c698d1993.filesusr.com/ugd/b7082a_a843d187080d4e7aa3d672e5adb899a0.pdf?index=true
    • https://s3.amazonaws.com/remeranexe/10735045180.pdf
    • https://s3.amazonaws.com/jebokizez/rimovidegimenawusi.pdf
    • https://s3.amazonaws.com/tumasun/resident_evil_afterlife_tamil_dubbed_movie.pdf
    • https://badbb018-ab4e-499b-b788-960949b82e3d.filesusr.com/ugd/4f4c56_398195fb21d74964b08f7e895e0e3b9f.pdf?index=true
    • https://59cf682b-6680-4a08-8b8d-0472bab64ef7.filesusr.com/ugd/d7d6cd_6c730aed3b17405d81bdc0a0ef55dfe2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6ff.bin
8c069548cebc6f807e42c7138d8ebb35ce80bc2e97a8ac432d103d027be482af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6FF 5128 bytes
font_01_sfnt_off00010841.bin
132353e862ff92053f30075dfd04a02e50c621348d888e754579156c07f37e82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10841 11340 bytes
font_02_sfnt_off00012ee7.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.