Malicious PDF — malware analysis report

Static analysis result for SHA-256 a163f4da9e739868…

MALICIOUS

PDF

79.6 KB Created: 2021-03-31 15:19:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5dca3aa430e31a1ad73d80eb8d1808a SHA-1: a688915be41b29e136046200b282af249de1da22 SHA-256: a163f4da9e739868565418854fb39c149cfa482f52301970932c7c0e01262799
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. The presence of a malicious ML classification and ClamAV detection further supports its malicious nature. The embedded URL 'https://druttle.ru/wix?keyword=hide+the+fart+unblocked' is likely used for phishing or to serve a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=hide+the+fart+unblocked
    • https://cdn-cms.f-static.net/uploads/4422372/normal_604b93f97b51e.pdf
    • https://cdn-cms.f-static.net/uploads/4478414/normal_602cae4214b9d.pdf
    • http://priz24.site/tutulemipo70uao.pdf
    • http://ketadiets.site/casio_g_shock_wr20bar_manual_espaol5lt90.pdf
    • http://worldthailand.fun/vakefifupx4gt2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jepinebawo/marriage_contract_psa_form.pdf
    • https://73c25812-7308-4b32-b985-10e2a25710ca.filesusr.com/ugd/5b604d_451d06d6b921489193f7c0a8f116a946.pdf?index=true
    • https://2a085669-a8dc-40eb-b1d3-71ea9d660f60.filesusr.com/ugd/cafc24_a503a1df367c4ff184ff0cba2f4af167.pdf?index=true
    • https://d5fb4b5d-766d-4e54-ab1c-ecc61d2b7d82.filesusr.com/ugd/b0c8dc_5c4ea4cb7c22435f858e73587fe5964c.pdf?index=true
    • https://c3bb11cb-ba02-405d-8462-2b4421b436e1.filesusr.com/ugd/4c7814_5498fa7547ca4069b9befec7fa77d70b.pdf?index=true
    • https://c580675e-8888-491d-8c80-3106eaac86fb.filesusr.com/ugd/c8a981_13e2923a782a48bd98ed99685abbb4e7.pdf?index=true
    • https://ede36962-9452-4451-b182-fa4236ba9bc6.filesusr.com/ugd/83b1b3_ff12736658db4d6c9cacd17419599fbc.pdf?index=true
    • https://da6a6a96-7907-4aac-bfe3-592928b14ca9.filesusr.com/ugd/39e844_56d24d838e9b4f30be6f7d48a34cd065.pdf?index=true
    • https://1350f94c-8d6f-42b4-8351-24983ad6a49a.filesusr.com/ugd/4aae87_c0c9306f48204b559a553daa6f13f7ba.pdf?index=true
    • https://s3.amazonaws.com/gonafoziguwewe/proofreading_worksheets_with_answers_grade_4.pdf
    • https://b3dfd9c9-1030-471f-a26d-814ea73dbccc.filesusr.com/ugd/d97afa_979835a5e99342408d41902c5f807ae5.pdf?index=true
    • https://d2faa26e-66ca-44cd-8f84-883624a71019.filesusr.com/ugd/dbbfd0_eb773efd947141a2afc51af26df44008.pdf?index=true
    • https://s3.amazonaws.com/salade/the_inferno_2.pdf
    • https://00407fa8-a9ef-4b78-9bbe-46147fc8acf6.filesusr.com/ugd/5ecadc_dd053eace9334c7d9fa6de8d6c74dc06.pdf?index=true
    • https://a72b158e-cead-41d6-a0b3-8518216316a4.filesusr.com/ugd/35c6e2_b57d378764a946b2b47a0050d91ea941.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f71f.bin
c5f3ed9e767f4ce3052cfedce9571057cba129b98e920f80692fb48b0de00e81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF71F 5096 bytes
font_01_sfnt_off00010868.bin
8fdd0399fcf403931784cd9e3bd5a46de86b9fea787b23062e576a1c0c62ff4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10868 12204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.