Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a596a44881860f4…

MALICIOUS

PDF

73.2 KB Created: 2021-03-14 14:53:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8046600aadd9960c05cd9b9b5fe8ec94 SHA-1: e35465cca1db6d741a8314db3b1d90feb1d1e016 SHA-256: 8a596a44881860f43fd9a203b6699459b72949e5b69ce4cfa87ca698a431524f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of embedded external links, suggesting a link farm or phishing attempt. The primary malicious URL identified is https://dafemum.ru/123?utm_term=aparichithudu+movie+hd+video+songs, which is likely used to redirect users to malicious content. No scripts were extracted, but the PDF structure itself is designed to host and present these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=aparichithudu+movie+hd+video+songs
    • https://cdn-cms.f-static.net/uploads/4391340/normal_603822bf70af4.pdf
    • https://lepopitiw.weebly.com/uploads/1/3/4/7/134762721/xuxige_ludenupew.pdf
    • https://jeletizasi.weebly.com/uploads/1/3/4/6/134640559/2069110.pdf
    • https://xaliwituxezaxe.weebly.com/uploads/1/3/5/3/135323019/donutujow-kesoporenapo-vawujij-koretuw.pdf
    • https://nomabedipami.weebly.com/uploads/1/3/1/4/131437379/b5fe62e179e350c.pdf
    • https://busejutepegojo.weebly.com/uploads/1/3/4/7/134773147/3534177.pdf
    • https://static.s123-cdn-static.com/uploads/4464710/normal_5fed98048bb75.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fefekug.rf.gd/21850592955.pdf
    • http://nibewisule.epizy.com/bugler_s_holiday_piano_accompaniment.pdf
    • http://fezovabanufoben.epizy.com/arashi_no_yoru_ni_libro.pdf
    • https://9cfe8934-cc69-4f76-a0d0-2e9849ea4530.filesusr.com/ugd/fd9558_f89f19f3febf4ff49045d14a5945585b.pdf?index=true
    • https://201a0bc5-0eb3-4135-8969-828875a6b07d.filesusr.com/ugd/607883_2eb48f4c8b084cde8b43c1c235aa791f.pdf?index=true
    • https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_261554f0f26f43209d69e25bfaf12861.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c59fff69-d25e-4353-a7c4-534eaf9363fb/que_haras_si_no_tuvieras_miedo_borja_vilaseca_gratis.pdf
    • http://wosakev.epizy.com/add_subtract_polynomials_worksheet.pdf
    • https://90ff81fc-98d9-4e53-96a3-aaa5c1c2042e.filesusr.com/ugd/bb5aff_947393feb3724843a69ac60132995932.pdf?index=true
    • https://e18e6c05-101e-4f41-9c4d-f518aea09dbb.filesusr.com/ugd/7972b3_4cf4751c13bf44b8a7df33a467b1e87e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/60096474-75ab-4815-b38c-1899b8d781e5/how_to_reset_alarm_system_without_code.pdf
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_5a6be7060ee54f2792ead54e37429578.pdf?index=true
    • http://xufizup.rf.gd/motorola_g_3rd_generation_charger.pdf
    • https://27a83426-c768-4525-a63d-b5b732cca755.filesusr.com/ugd/28b3f7_4957f59579184d5493d5d7e7fd131a88.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfab.bin
0dceae2415d8f0b75f0e9eacbaf4226e89f4ae6967d038c134a8fac26417e3f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFAB 5504 bytes
font_01_sfnt_off0000f23e.bin
5262ec41de9e7fd408e7b601b6cfdd390a76fe595f08244e829fe2204935f7d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF23E 10808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.