Malicious PDF — malware analysis report

Static analysis result for SHA-256 772afebb00fdf127…

MALICIOUS

PDF

88.9 KB Created: 2021-05-21 00:01:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74b18f3df6a606a8b61f505de0126ab3 SHA-1: ad4c26cf4667279759a23cb71b2ad57f1b203234 SHA-256: 772afebb00fdf127c7c8e03859d3d54f0b98e8ceb97d4b84b7d51efa01612920
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for an external URI pointing to a suspicious domain, which is likely an attempt to trick users into downloading malware disguised as a game fix. ClamAV also detected the file as 'Pdf.Phishing.Trojan'. The presence of numerous external links, even if many resolve to benign content, suggests a link farm or distribution mechanism for malicious files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=far-cry-4-dual-core-fixer.rar+%25281.2+mb%2529
    • https://cdn-cms.f-static.net/uploads/4370286/normal_60694883a17c6.pdf
    • https://static.s123-cdn-static.com/uploads/4381766/normal_5ff03b4daf65f.pdf
    • https://valoxapemep.weebly.com/uploads/1/3/4/3/134305175/foxumigololu_ruzevefajarodo.pdf
    • https://viwoseloza.weebly.com/uploads/1/3/4/8/134861971/ramagisov.pdf
    • https://static.s123-cdn-static.com/uploads/4380230/normal_6006a8d9d598a.pdf
    • https://static.s123-cdn-static.com/uploads/4402932/normal_600821c3617f1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/f848bf59-2fda-4ff6-a91f-6e23d2dba5f1/61342154842.pdf
    • https://uploads.strikinglycdn.com/files/251189a6-b80f-4a54-9b8e-683186c6c262/67165091152.pdf
    • https://uploads.strikinglycdn.com/files/69c32acc-bcbe-4d35-965d-36399d472128/pilgrim_at_tinker_creek_rhetorical_devices.pdf
    • https://uploads.strikinglycdn.com/files/77eb7e1e-553c-41c7-9842-bfb1c5c0a5f1/48494900201.pdf
    • https://uploads.strikinglycdn.com/files/27e88736-4333-447c-9df5-0bbc6f672141/19359699145.pdf
    • https://s3.amazonaws.com/telasebisu/72654111657.pdf
    • https://s3.amazonaws.com/tuzakifezara/volume_compound_shapes_worksheet_answers_with_work.pdf
    • https://uploads.strikinglycdn.com/files/2fde1453-84c1-496c-a880-7c8004c8366e/79269545036.pdf
    • https://uploads.strikinglycdn.com/files/e9873782-573b-4e9e-ac04-9e428af3ada8/panorama_del_nuevo_testamento_serie_fe_y_accion_gratis.pdf
    • https://s3.amazonaws.com/jivagajamav/allshare_full_apk.pdf
    • https://s3.amazonaws.com/wizakokowe/android_fragment_database_listview.pdf
    • https://uploads.strikinglycdn.com/files/e4df1a25-bef5-49a5-8bea-1e1e5245760f/81961107604.pdf
    • https://s3.amazonaws.com/rivazixexuguri/surface_area_of_a_cone_worksheet_tes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e55a.bin
e997435bc6048d609ea4a3661280ce752cac39bd6ab9c76359adb4ac24f857fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE55A 5440 bytes
font_01_sfnt_off0000f809.bin
feae45d79323ac7ccdcf9d876b61a1088177fac72af904e059c680cc4101ff2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF809 19568 bytes
font_02_sfnt_off000130bb.bin
c55a73de0587e44f399f67360f05e53023b0a1037730ea622091a2300f2aa072		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130BB 16200 bytes
font_03_sfnt_off000145f1.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145F1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.