Malicious PDF — malware analysis report

Static analysis result for SHA-256 981907b6f8f1cafd…

MALICIOUS

PDF

85.2 KB Created: 2021-03-06 07:02:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a7964707991de836bc786e29296acc1 SHA-1: 727f5cf4f250e7e673a42969e51f5e5bc721c2ef SHA-256: 981907b6f8f1cafd338957e4bb4b154b666ce316f57c080baaaec1cf7abef506
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one pointing to 'https://golowaki.ru/wix?keyword=60+second+burger+run+wr', suggesting a link farm or phishing lure. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and external links are indicative of an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=60+second+burger+run+wr
    • https://cdn-cms.f-static.net/uploads/4448984/normal_600dffb63ba16.pdf
    • https://cdn.sqhk.co/lupejatuwi/h4geihm/hit_the_woah_song_lyrics_clean.pdf
    • https://cdn.sqhk.co/kobewudojuvo/pjejdKa/mikirepoki.pdf
    • https://static.s123-cdn-static.com/uploads/4379851/normal_5fca80da8db85.pdf
    • https://cdn.sqhk.co/futevanu/fAPheig/jorizejaja.pdf
    • https://cdn-cms.f-static.net/uploads/4481278/normal_5fd97344404b4.pdf
    • https://cdn.sqhk.co/dabozijide/0jggpic/53490747910.pdf
    • https://cdn.sqhk.co/gobenebovi/iqifMgh/kubica_latest_news.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/zatazewoz/59960444351.pdf
    • https://s3.amazonaws.com/libeganot/bitdefender_box_2_manual.pdf
    • https://s3.amazonaws.com/jenisozazewubo/74682667794.pdf
    • https://s3.amazonaws.com/zategafozasiru/la_times_sunday_crossword_answer.pdf
    • https://s3.amazonaws.com/lorugipopuxe/construction_inspector_daily_report_template.pdf
    • https://uploads.strikinglycdn.com/files/5536f625-1065-4d34-a643-c810085b39c6/1770469005.pdf
    • https://s3.amazonaws.com/julaxel/jetoxaxazazokobu.pdf
    • https://uploads.strikinglycdn.com/files/ba6ea436-99e6-47ae-bbd9-79498797ee1f/kasawizirap.pdf
    • https://006b50d4-ad2a-4261-8279-34542eb0d7b0.filesusr.com/ugd/a640e9_cdcf9991f11c4d3da42af3f72495a3ef.pdf?index=true
    • https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_860457a55ffd44d5bcade6d4df3913a4.pdf?index=true
    • https://488c2ff9-9ff4-499e-8f11-525115e20b22.filesusr.com/ugd/8aba0c_6c38147f670046f4ac8574074197e1fc.pdf?index=true
    • https://s3.amazonaws.com/boduxatavepe/how_much_can_a_2015_forester_tow.pdf
    • https://391e4f24-9fc9-4707-ac06-338edcd9f959.filesusr.com/ugd/110ef3_e542517c960746aea8d4e9ce1aed94eb.pdf?index=true
    • https://s3.amazonaws.com/rejiner/22871207273.pdf
    • https://s3.amazonaws.com/fedojigudaj/what_is_the_newest_ps_vita.pdf
    • https://8ed6bd9f-de2b-4923-b7df-82f95eb18a03.filesusr.com/ugd/7fa32f_bc8b38a3f6c845bd95a960cd4e203130.pdf?index=true
    • https://s3.amazonaws.com/vipinib/challan_online_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df51.bin
efeec00bd50956fc2942402060d417a652c8dc69bb7a08d42acd30f8eca3bc8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF51 3972 bytes
font_01_sfnt_off0000ed85.bin
8c36779b17ae806c70c2a807e7774b50db1d03aa9dd7049e8e75444bd042c0c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED85 5052 bytes
font_02_sfnt_off0000fe94.bin
0b761f192d089aba2bb4e48317bba6c222952ad3367a65966f80a172518c31fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE94 6824 bytes
font_03_sfnt_off000110ea.bin
993ab3d4c51c84ccc0caadfa37026eff75b2e799f876c56fc812752530254c46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110EA 12308 bytes
font_04_sfnt_off000137fc.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137FC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.