Malicious PDF — malware analysis report

Static analysis result for SHA-256 7824db41f73f469c…

MALICIOUS

PDF

83.6 KB Created: 2021-04-03 12:13:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b250b74f6e38c73941400502ff17670 SHA-1: d593d12da4ff6cd640c2f3033fa8c3f4ef400f74 SHA-256: 7824db41f73f469cef7353cbcc12db6dde94a0baad4d85019f596186c0cc088e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO abuse tactic. The embedded URLs, such as 'https://dafemum.ru/wix?keyword=one+s10+launcher+pro+apk+download', likely serve as lures or entry points for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=one+s10+launcher+pro+apk+download
    • http://vopukisavenif.medianewsonline.com/download_al_arabiyyah_bayna_yadayk.pdf
    • http://gepokupaburorew.mywebcommunity.org/gosefej.pdf
    • https://wimelavejitovuv.weebly.com/uploads/1/3/4/5/134597731/4348350.pdf
    • https://cdn.sqhk.co/sesijisova/e3hfqxS/runescape_grand_exchange_market_watch.pdf
    • https://cdn.sqhk.co/woxemumi/hgifhcZ/zombie_defence_games_unblocked.pdf
    • https://sovirolozemeze.weebly.com/uploads/1/3/4/3/134337586/menotad.pdf
    • https://noloxuxema.weebly.com/uploads/1/3/1/4/131453633/44af37.pdf
    • http://nusezuretoti.scienceontheweb.net/ccsu_bpt_syllabus_download.pdf
    • https://cdn.sqhk.co/nosisatoved/ihheTAg/xekop.pdf
    • http://ninomut.sportsontheweb.net/eeg_book_free.pdf
    • https://cdn.sqhk.co/zibumimuw/ODjaMhh/nenufezafavad.pdf
    • https://cdn.sqhk.co/xedufoga/mgg4CiT/adventure_escape_asylum_chapter_6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6706a97f-df1e-42a5-80b6-6e92d85c2589/11683123183.pdf
    • https://uploads.strikinglycdn.com/files/11689663-a01e-4528-8ff0-8b47856f9440/ruxapozamixabagiv.pdf
    • https://uploads.strikinglycdn.com/files/80ebc623-c0f2-4066-b0b3-6e8f48f963b5/msi_n1996_motherboard_audio_drivers_windows_7.pdf
    • https://uploads.strikinglycdn.com/files/ef63f6e7-3e23-41cc-ac9c-443846d04130/xuzivepexenuzewufira.pdf
    • https://uploads.strikinglycdn.com/files/717d0485-69ed-4337-b020-4d1e2d3f4e06/10995226385.pdf
    • https://uploads.strikinglycdn.com/files/c1ee3943-b17e-493e-bda0-50f9f061ede0/97246746779.pdf
    • https://uploads.strikinglycdn.com/files/762e7a94-7fca-47fa-bd2c-7b06e59d72b0/9.3_naming_and_writing_formulas_for_molecular_compounds_worksheet_answer_key.pdf
    • http://sewemira.atwebpages.com/97641992346.pdf
    • https://uploads.strikinglycdn.com/files/9a323dc3-14c2-4afd-9019-9fab730fbef6/emotion_regulation_skills_dbt_handout.pdf
    • https://uploads.strikinglycdn.com/files/54f26aec-bd95-4202-a240-c4687a4aecd9/68368322473.pdf
    • https://uploads.strikinglycdn.com/files/d3baaebf-7d62-4102-b796-937358e7dca4/what_if_netflix_cast.pdf
    • https://uploads.strikinglycdn.com/files/5cd1d80f-7091-4bae-8786-0fd502c291df/lifefegev.pdf
    • https://uploads.strikinglycdn.com/files/6463328b-4f2d-442c-80f2-cb882afe2648/are_mini_rex_rabbits_nocturnal.pdf
    • https://uploads.strikinglycdn.com/files/1e88bf08-6225-4396-975b-7971120a8f9a/trigonometric_identities_calculator_with_steps.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f223.bin
4b1ecd0daa4f2b5e592b1b26c8a0ef1a84ef9c379db3d670e4906517eec63e02		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF223 5540 bytes
font_01_sfnt_off00010503.bin
23aa1104f3516c8b858a27115851dc8d59d2fb762edd034b1662b9ceccab95b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10503 11160 bytes
font_02_sfnt_off00012b56.bin
2c5f1a2e3d9f683f6a217a47aeaaae813f7d4ef732a5ff54a929695507d09140		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B56 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.