Malicious PDF — malware analysis report

Static analysis result for SHA-256 7685adedbe8f9172…

MALICIOUS

PDF

80.1 KB Created: 2021-03-19 23:42:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17e6a0a8a51cbcd261556622bf9074be SHA-1: 4ddf9e7fe29eaed3164ff0c2349b4f7166d12e9a SHA-256: 7685adedbe8f9172c6a810c38d7f0e67edb429a6dc8e2e9a89f21bf6c286a7bc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the 'PDF_SEO_LINK_FARM' heuristic, pointing to various domains. One prominent URL, 'https://midufefew.ru/award?keyword=new+perspectives+in+archaeology+binford+pdf', is directly embedded and flagged as a potential phishing or malware distribution point. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or distributing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=new+perspectives+in+archaeology+binford+pdf
    • https://cdn-cms.f-static.net/uploads/4415291/normal_604f74d09e9b0.pdf
    • https://static.s123-cdn-static.com/uploads/4366027/normal_5fcf837ece5ec.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a24bc4ef-4ee2-4fae-af0c-c9fea810b245.filesusr.com/ugd/67d96c_9036e899e4dc4829880c830d4350a6a1.pdf?index=true
    • https://s3.amazonaws.com/defujo/45148143978.pdf
    • https://f6180879-d31b-499c-8e42-fead7842c491.filesusr.com/ugd/007227_1ee1d53e01ce48399b6b9ab73484551d.pdf?index=true
    • https://s3.amazonaws.com/piradi/netacad_linux_chapter_7_exam_answers.pdf
    • https://8d684a1e-4078-49cd-b336-05adf09473b6.filesusr.com/ugd/2b25e8_91da70b51e84407192f9f99a640bef3a.pdf?index=true
    • https://933527c5-e005-4225-a3aa-05fee46c7696.filesusr.com/ugd/b51dd5_e881719ef54c42f898681bc9fe36cef2.pdf?index=true
    • https://d6236f05-450e-4b96-9875-1783d83c708b.filesusr.com/ugd/912de2_6be869a994d84a6485e07ade9bfe2418.pdf?index=true
    • https://s3.amazonaws.com/kukupunopedon/fmla_guidelines_for_employees.pdf
    • https://5b949be5-44ef-49af-96c7-0ebaa8fe632e.filesusr.com/ugd/3402b1_70a4b6dde82a424094fb504f2c749c2d.pdf?index=true
    • https://5e024257-ca51-40df-b6b5-a3104c7b7124.filesusr.com/ugd/97368a_93b8c5bbf23342ab905d6c119d6b2c93.pdf?index=true
    • https://b00f38ea-0d13-4519-ab0f-1253f0d03ca0.filesusr.com/ugd/289c5e_e9db9f4ea74748439525eb08f716352a.pdf?index=true
    • https://f4e740b0-69d0-4d5c-a0c7-362dc6b2ad6d.filesusr.com/ugd/0356fc_5fa0ce4cdad94d28a67904ce1b8be71a.pdf?index=true
    • https://2ed9768e-82a7-41f7-bc91-4b86d8d7aa0f.filesusr.com/ugd/bdbd91_af120945dbdb4bbebb3149d632cb3f34.pdf?index=true
    • https://2f60c0de-bae8-48d8-8f3f-ce7907f87c52.filesusr.com/ugd/badafb_9efbbdbc2a764c988d5ac67a2d7f580c.pdf?index=true
    • https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_b9005164337e42a18ffeb0c1f943e7be.pdf?index=true
    • https://s3.amazonaws.com/sinadi/sexitowujudezeva.pdf
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_5ad523c89da143238122643325caa0a2.pdf?index=true
    • https://28546a20-d0cc-4b82-bb4f-6711990cd5a3.filesusr.com/ugd/0bcf16_7cbadd1ee45e429ba57e75c07f564678.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb14.bin
0d1739ecbcea3456474ab27c7b629b8dbf23099fa9b7b786cbe31bc4d00eba57		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB14 5780 bytes
font_01_sfnt_off00010ee2.bin
63066d3e62c01613551818f8f854d5af2ab12dd1abd8593f1f978faabbda20be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EE2 10624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.