Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cc6f23b78e2b081…

MALICIOUS

PDF

84.7 KB Created: 2021-03-29 12:46:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c43bae8f61ff88c08c035248cadf28c4 SHA-1: 87890c1c35a8638bd8f69cb8c68fdf0e08328eb9 SHA-256: 9cc6f23b78e2b08177c046af6dfd654252157ff41e18a9aca3d94a96c34f2883
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, pointing to various domains. One of these URLs, 'https://dafemum.ru/123?utm_term=warp+stabilizer+premiere+pro+cc+2015', is flagged as an external URI. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or distributing further malware. No scripts were extracted, but the structure suggests a malicious link distribution pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=warp+stabilizer+premiere+pro+cc+2015
    • http://wozovumorawoka.sportsontheweb.net/57442489504.pdf
    • http://luminar4-download.xyz/how_to_show_data_table_in_chart_excelil036.pdf
    • http://xenejesujotolud.mypressonline.com/perbedaan_luka_antemortem_dan_postmortem.pdf
    • https://cdn.sqhk.co/tisufupujeli/UOjjU2u/vologoponi.pdf
    • http://klosheff.xyz/97488133411sedhu.pdf
    • https://cdn.sqhk.co/jogibigeda/XjajhQY/ketoxona.pdf
    • https://cdn.sqhk.co/digipexula/ijhJVje/how_do_you_draw_gacha_life_hair.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.orgThis
    • https://uploads.strikinglycdn.com/files/f1bb66ad-9019-407d-8596-013dae1523f7/56844652065.pdf
    • https://uploads.strikinglycdn.com/files/d2bffff6-0c90-4933-a163-6c6edc9c4b17/52452224402.pdf
    • https://uploads.strikinglycdn.com/files/ca70cdc7-3614-4b12-b4b0-99f8fd52f9d7/wevuxobakafoz.pdf
    • https://e1cd7dcf-8988-4be8-9b1a-722367337987.filesusr.com/ugd/6203b9_b58cbb5225ae4d38a8dc08457b9e02db.pdf?index=true
    • https://023e3b0e-89aa-4e00-bd19-175c11a0a9c0.filesusr.com/ugd/5f4883_0f142fc742934a3196f8a67260236885.pdf?index=true
    • http://kamigawox.atwebpages.com/mathematics_project_models.pdf
    • https://uploads.strikinglycdn.com/files/9503b52b-2241-42dc-b788-a0806ccd444a/toro_lawn_mower_model_20339_spark_plug.pdf
    • https://uploads.strikinglycdn.com/files/a1f5b934-6c61-4171-bb0d-a64f32372805/26369259749.pdf
    • https://ec451167-49e0-489e-a150-d7dc0ecf9264.filesusr.com/ugd/fe0276_ebc9052a03a94209a8a18839bf93adf1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9f5a6a8e-2cce-4cd7-ac33-8a829dcdf132/69025593037.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://scripts.sil.org/
    • http://scripts.sil.org/OFLAbyssinica

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed98.bin
e38bfe3a47ed12c3c99068ca1d7160f897541ba7d44e3b452010751c2b5308dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED98 5732 bytes
font_01_sfnt_off00010124.bin
25d2fbfb5dd46bce752f1a10cbb8fe29a5ece10bd9e4a33cfa5ea6c363d8700b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10124 20968 bytes
font_02_sfnt_off0001215c.bin
c0774f01e902de6779910aae8a975b434fc210b6cf0c182caaf0883f3300b45d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1215C 10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.