Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e6a9ef67173e876…

MALICIOUS

PDF

86.7 KB Created: 2021-04-02 17:51:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d06f8d35ccc8982e254ef1ea67d566d SHA-1: af579d1fc8da3f5105409d172e00cf548d9c1777 SHA-256: 8e6a9ef67173e876ca8807611134eb7c75c8316be78a514397ff7429cab182d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms or phishing campaigns. The heuristic PDF_SEO_LINK_FARM indicates a mass of external links, with one pointing to 'midufefew.ru'. ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious classification. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest it's designed to redirect users to potentially malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=an+astrologer%2527s+day+summary+questions+and+answers
    • https://tujurexi.weebly.com/uploads/1/3/4/7/134743655/zuvobibapovu_lovusuwatu.pdf
    • https://linekepev.weebly.com/uploads/1/3/4/0/134041162/1abcca08fbf.pdf
    • https://dedidolijara.weebly.com/uploads/1/3/4/6/134666782/1a861.pdf
    • https://lexikusu.weebly.com/uploads/1/3/1/4/131438729/juripoxuzewanagidusi.pdf
    • https://tariroviwobin.weebly.com/uploads/1/3/4/7/134715354/a303c3921cc2905.pdf
    • https://belexikezetuvom.weebly.com/uploads/1/3/0/7/130775063/3842892.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1ae094b9-110d-4377-a83c-911b29edd90d.filesusr.com/ugd/d5eada_65cdaca024ac42789a786a86f1ce6272.pdf?index=true
    • https://feedbc21-cb93-402c-9ae2-3476589645d2.filesusr.com/ugd/f3ecbe_55679067bc2f4e5d908321b58b21198e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f21c44f6-647d-404e-a059-345d73a5e157/15247742128.pdf
    • https://2eda13a9-9e0f-47dd-bbfa-a9a5028a3314.filesusr.com/ugd/61c57f_18c129d11cb24760b38b58a5ac1b43dc.pdf?index=true
    • https://29ca30ec-7ad4-487f-8637-d2d67f3a323c.filesusr.com/ugd/10b11f_95071f411c5b4390a568e6c2085f4572.pdf?index=true
    • https://46c0acaa-de7d-4f46-84f0-c2cf1d8ff7d9.filesusr.com/ugd/ac1638_60f3636033f44422ae34b87150d8091e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/06ebe2d7-13bc-4523-a78f-9e2464b58017/hp_officejet_4500_check_ink_levels.pdf
    • https://d2ea4bfc-f92a-4379-acf2-d9b69981ddb7.filesusr.com/ugd/739437_fc3418f65955429ebd1f69fac6603306.pdf?index=true
    • https://6f8cb219-4830-455d-9ced-b55e65700e85.filesusr.com/ugd/fd30ac_d3809951860a48a39f1023602c8d73bd.pdf?index=true
    • https://d12e84a0-9808-45da-82c6-613dfe540d1b.filesusr.com/ugd/dc8a8e_77614dc8af8b4788967df6e93db680f6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000114c0.bin
3fb5674c6e1297f7297a356fb285c8cab9daf60574ca1bbc3e832236efb47dd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114C0 5488 bytes
font_01_sfnt_off00012765.bin
60ecb6b8cb236524c6b313c7328d06c3136964eeee150ef3a11a53586519a5e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12765 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.