Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dffdfa4a26576b2…

MALICIOUS

PDF

74.9 KB Created: 2021-05-19 13:07:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8bbca94695be7029ff5f5ee57b7fad0f SHA-1: 720ea09155f1e415f1e42437087d89c88c249651 SHA-256: 9dffdfa4a26576b2519a2e2bd3352d9622e27adef6e77fec4db438cd15e9e76d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links disguised as search results for popular song titles, directing users to potentially malicious websites. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm or phishing operation. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=megastar+chiranjeevi+hit+songs+telugu+naa+songs
    • https://cdn-cms.f-static.net/uploads/4487658/normal_60654efa5aaf0.pdf
    • https://loloxanasi.weebly.com/uploads/1/3/4/7/134712840/gujalefez.pdf
    • https://wokuzavewa.weebly.com/uploads/1/3/5/3/135339714/0f11c8.pdf
    • https://cdn-cms.f-static.net/uploads/4460449/normal_604372b39531c.pdf
    • https://fonekukiko.weebly.com/uploads/1/3/5/3/135393218/dulasisixodos_musamopejosuxax.pdf
    • https://cdn-cms.f-static.net/uploads/4448535/normal_603d1c02ae865.pdf
    • https://static.s123-cdn-static.com/uploads/4371497/normal_5fc763fe34c8d.pdf
    • https://cdn-cms.f-static.net/uploads/4453326/normal_60485f5ae6b0a.pdf
    • https://fafetomipisiso.weebly.com/uploads/1/3/4/6/134603542/wumategizatutomegok.pdf
    • https://cdn-cms.f-static.net/uploads/4450045/normal_5fe7090582017.pdf
    • https://cdn-cms.f-static.net/uploads/4403533/normal_602a3cc2eeeec.pdf
    • https://static.s123-cdn-static.com/uploads/4501503/normal_5ff957af53b4a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d9303bdf-80b6-4885-9c5a-7b1a07b04d42/massey_ferguson_35x_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/896c6541-fe5b-4a62-9872-3c70b3e642ba/97735486703.pdf
    • https://s3.amazonaws.com/boduxatavepe/pavojolekedasezabalili.pdf
    • https://s3.amazonaws.com/dorulusof/engineering_fundamentals_of_the_internal_combustion_engine_free_download.pdf
    • https://uploads.strikinglycdn.com/files/22f1589c-d3cf-4fa3-ba3d-70201be0cc27/jatamikadila.pdf
    • https://s3.amazonaws.com/kovozenamofox/blue_and_white_christmas_background.pdf
    • https://uploads.strikinglycdn.com/files/545fae9e-9aef-410c-9ad9-c193e919809e/71159884445.pdf
    • https://uploads.strikinglycdn.com/files/7f3fe510-3c9d-42e2-9eab-2de88780dabe/samsung_s4_mini_won_hard_reset_key.pdf
    • https://s3.amazonaws.com/fadadedezeker/nice_html_website_templates.pdf
    • https://uploads.strikinglycdn.com/files/fea78043-8482-41d1-83db-86915f73de2e/fiweruker.pdf
    • https://uploads.strikinglycdn.com/files/168f6e77-5da9-4881-840a-5f5ab0681527/cub_scout_webelos_book.pdf
    • https://uploads.strikinglycdn.com/files/ee69c151-93ae-4ba8-99ac-d7f39421c600/kivituk.pdf
    • https://s3.amazonaws.com/dudurat/7097709222.pdf
    • https://uploads.strikinglycdn.com/files/73e81468-0539-4b7d-a1d4-8c397d812412/5756361574.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6ef.bin
310e1db747e2989161fba65797dda06f5c072666373711e7822e429071d9ec2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6EF 5200 bytes
font_01_sfnt_off0000f8b7.bin
965804087a1df1afdae77914d27d95a909109143441af8b450ce4383124ee8c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8B7 10844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.