Malicious PDF — malware analysis report

Static analysis result for SHA-256 9808a83ffe780515…

MALICIOUS

PDF

73.6 KB Created: 2021-03-14 22:08:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52d17dd2a3afd3c6e1764ce11846f4bb SHA-1: 26b561961cb30fc8c8f93f22ee0311b38722cd2a SHA-256: 9808a83ffe7805155ff765a3ccdf4513c050eff9adc1a8f73aade4e82321ee1b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM'. The presence of a malicious ML classification and ClamAV detection, along with the suspicious URL 'maypoin.ru', indicates a phishing or malicious content distribution attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=doraemon+movie+2020
    • http://komozazene.getenjoyment.net/affidavit_of_domicile_form.pdf
    • https://cdn-cms.f-static.net/uploads/4381531/normal_6035790fde598.pdf
    • http://sabumow.mygamesonline.org/public_relations_campaign_examples.pdf
    • http://zunololanuxigu.sportsontheweb.net/mcq_blank_answer_sheet.pdf
    • https://static.s123-cdn-static.com/uploads/4446924/normal_5ffc4da905783.pdf
    • http://mofemaruwek.sportsontheweb.net/the_secret_garden_full_movie_1949.pdf
    • https://static.s123-cdn-static.com/uploads/4449789/normal_5fff2b67e629c.pdf
    • http://sawedes.mywebcommunity.org/biochemistry_laboratory_modern_theory_and_techniques.pdf
    • http://larebalin.mypressonline.com/oral_b_toothbrush_heads_for_sensitive_teeth.pdf
    • http://sepoxudozixo.sportsontheweb.net/breast_cancer_screening_guidelines_2020.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://4a1cfc67-5981-466d-a13b-75576fe7431f.filesusr.com/ugd/64e449_a084345a328b4fc0ade0b798472935bf.pdf?index=true
    • https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_7c88e17a5cf940beacf09c4304fa2325.pdf?index=true
    • https://22449060-8e30-4723-8828-967625cce342.filesusr.com/ugd/eddc50_717c1e78c43745b1aedf111d546f04ef.pdf?index=true
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_b6802df54859410abf29063d2535e45d.pdf?index=true
    • https://931f52e6-cb68-4a93-8e02-54808d33f8b6.filesusr.com/ugd/6290de_7037ccb5676b412aadb757efc599a500.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_bba4e8c65193406e85e1e06f3f127bba.pdf?index=true
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_053523d95b1349fca65f042b4049f979.pdf?index=true
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_091808102c694d6799407a2e2f7b3a10.pdf?index=true
    • https://bf808793-8b46-4c54-8b11-319763181fa0.filesusr.com/ugd/0d018b_08fd701e5d77495685d9ff7803e17cdc.pdf?index=true
    • https://9f9bd9fa-00fe-4673-b34e-9a629881f524.filesusr.com/ugd/09273f_badff3e340304943a6f799efb411296c.pdf?index=true
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_c5334659c5e94118aa247a2310a97ced.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d821.bin
1b37ddf73fccb4bc07e687cce2eaad66bde0cb99c9d07eeed08cebcc7d0beab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD821 4660 bytes
font_01_sfnt_off0000e7cc.bin
4223b404f5b8eb927d34849cd9699e3c053c8c9769995e3ded5502c4b42a26c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7CC 10560 bytes
font_02_sfnt_off00010bec.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BEC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.