Malicious PDF — malware analysis report

Static analysis result for SHA-256 8737ebd1676d4626…

MALICIOUS

PDF

83.3 KB Created: 2021-04-04 21:11:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae499c8e146da21776a1aa05c142c5ba SHA-1: 4ee55756d3bf68cc309403255948fb5bb139c6b1 SHA-256: 8737ebd1676d462655190c03b6c844dcbe53d7b9641f7bd0674ced70315dfd58
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains a large number of external links, suggesting it is part of a link farm designed to drive traffic to malicious sites. The primary malicious URL identified is 'https://dafemum.ru/wix?keyword=ilos+screen+recorder+apk+pure', which is likely used to distribute malware or lead users to phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=ilos+screen+recorder+apk+pure
    • https://static.s123-cdn-static.com/uploads/4384149/normal_5fee08421d3b3.pdf
    • https://cdn-cms.f-static.net/uploads/4367013/normal_5fd8b2776c38d.pdf
    • https://cdn-cms.f-static.net/uploads/4380214/normal_6035a6f8a8804.pdf
    • https://static.s123-cdn-static.com/uploads/4530171/normal_6003685c4b48d.pdf
    • https://static.s123-cdn-static.com/uploads/4419827/normal_5fdef32eb5762.pdf
    • https://cdn-cms.f-static.net/uploads/4372707/normal_603892247b37b.pdf
    • https://cdn-cms.f-static.net/uploads/4413005/normal_6055f5364335a.pdf
    • https://static.s123-cdn-static.com/uploads/4408187/normal_600294a66866d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2f07d022-2cc5-45ee-906b-8fd4b1f487bb/sierra_7mm_mag_load_data.pdf
    • https://291e86d0-b4b7-455e-aeca-30cd05102b29.filesusr.com/ugd/384a46_12c52c7b1b7e4076ae242deb5c2f880d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fdd16010-5256-4d75-a235-03c132b3e40e/jukabajofem.pdf
    • https://393102e6-89af-4738-8cad-89662dba8dc5.filesusr.com/ugd/33a16d_c9eaf68a9b5a466682ce67f1594197c1.pdf?index=true
    • https://cd9ed9ec-87d1-42be-9198-0b2de6c1db4d.filesusr.com/ugd/158fb9_11817dc3f96a485e83832306ecd6235e.pdf?index=true
    • https://s3.amazonaws.com/fikuvine/assam_tet_2019_form_fill_up_date.pdf
    • https://9305c775-266c-4126-9ef9-90a5cffee957.filesusr.com/ugd/c3f88d_89bf7f6e628741338b50e430a429f8f6.pdf?index=true
    • https://s3.amazonaws.com/popisiburewixuj/3d_photo_video_gallery_editor_apk.pdf
    • https://s3.amazonaws.com/votubukaxogilix/23704438561.pdf
    • https://s3.amazonaws.com/rawesaragegugar/legomopesufu.pdf
    • https://s3.amazonaws.com/tapexiw/chromedriver_default_directory.pdf
    • https://63c031ef-a76e-4574-b6c7-b683c5cdde0f.filesusr.com/ugd/3a5e7a_2e3fc49487cc4e59a38463630b5e191e.pdf?index=true
    • https://0dd4521b-3e41-4083-9bcc-807cce03ae78.filesusr.com/ugd/cfe2e9_472b3769ccf043e591a99a69fadd2438.pdf?index=true
    • https://ff87c8b5-ca28-4ac0-94ba-218234037d87.filesusr.com/ugd/1d4e4f_d48effe7bddc436ea05dbea586b9dbde.pdf?index=true
    • https://07d68bf2-0661-47e2-9ffe-eae068a071af.filesusr.com/ugd/fef806_5998169cac4f4aa98e6bdef697c70d43.pdf?index=true
    • https://f904ef53-caa1-4f0f-8a97-c50675c03ece.filesusr.com/ugd/2f8cea_c5c4e4250a884889b418d96591258cbe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5a376b3f-5630-4d87-9a90-f224b6edc1f0/troy_bilt_tb230_engine.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010964.bin
f1dbc634b90b21940ce6506ce20822633583f9aa201ab7dc2b11e2a6c0298281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10964 5068 bytes
font_01_sfnt_off00011ab1.bin
8da5814588413c4fc8bfc023909b557f299a887bd49a47ec4f5f79cb4c437b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AB1 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.