Malicious PDF — malware analysis report

Static analysis result for SHA-256 76f89ef374bdd292…

MALICIOUS

PDF

83.6 KB Created: 2021-03-23 17:21:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 691a6aa08cbbaaba662680ca47b7f108 SHA-1: e02e93e178a537eb36dca0603923fff750a8ad0e SHA-256: 76f89ef374bdd292c051abc1ca21112a7b83034397eb0925d72c8c4bcb2fafa9
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains numerous embedded URLs, many of which point to disposable hosting and are likely part of a link farm designed to redirect users. One prominent URL, https://dafemum.ru/strik?utm_term=can+protein+be+a+meal+replacement, is presented in a way that suggests it is a search result, attempting to trick the user into clicking it. No scripts were extracted, but the PDF structure and numerous external links indicate a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=can+protein+be+a+meal+replacement
    • http://frankkyko.com/
    • http://bivaxosufuxibo.mygamesonline.org/49758616493.pdf
    • http://operationhomeplate.com/how_to_get_xbox_codes_for_freezbi07.pdf
    • http://fasekafalig.scienceontheweb.net/dumudopubame.pdf
    • http://detonic-ro.website/s2d_multiplayer_iosjt03v.pdf
    • http://nuloriwilorij.scienceontheweb.net/rizisorutijuneligo.pdf
    • http://nerazegizetikam.getenjoyment.net/xoxakidavubago.pdf
    • http://ita-yog.space/wabukidafotuxgwbxu.pdf
    • http://dabinepoj.mygamesonline.org/steelseries_arctis_7_manual.pdf
    • http://barcaporirternet-interbank-pe.com/lebuvafidibapiniflaohr.pdf
    • http://wedevaz.sportsontheweb.net/blender_materials_and_textures.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://24451074-f53b-4065-993c-779ba3957988.filesusr.com/ugd/0ae25f_1842ffaa3e5d4c13b1f057348352bbfe.pdf?index=true
    • https://s3.amazonaws.com/sugosubexez/87472697001.pdf
    • https://s3.amazonaws.com/zukogi/68751966104.pdf
    • https://f733e552-90a1-4d1f-83ca-a6b36afcf31c.filesusr.com/ugd/38bf1f_bf9b295cdc084c3e91d676e75dc63878.pdf?index=true
    • https://2e8e3215-33bf-4fe1-bc67-b38dac560527.filesusr.com/ugd/269bb8_4fb12f5b057545d1a459afc1a39b415c.pdf?index=true
    • https://s3.amazonaws.com/sulasatevirexo/29435072913.pdf
    • https://s3.amazonaws.com/zamemigojat/iswaran_the_storyteller_question_answers.pdf
    • https://a5a7f18c-b887-48a0-80cc-3627c14345d5.filesusr.com/ugd/609f59_a7d6ed7bb7a94e36b26ed819c40112c6.pdf?index=true
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_f15c78dc2ad84561969c795b5d47111b.pdf?index=true
    • http://desujiruvomeb.myartsonline.com/5009496939.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff25.bin
ffcbdf48243fe52c65f6b025dc7cb9c5cf053eeddca02d7dbd2ab5d27f3871a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF25 4948 bytes
font_01_sfnt_off00010fd0.bin
8243a2978354b99ad9fc1765d3878328d49e2998d0a5549394a0bdfef85e0506		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FD0 2188 bytes
font_02_sfnt_off000119ef.bin
88d75e5251b135b985c1f4ddc272a446bfe854ccd3fe297d6ecc8f557f47c20f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119EF 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.