Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2aa1532030f07fd…

MALICIOUS

PDF

75.3 KB Created: 2021-03-08 09:58:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: e9f22ee3ca5f168baaeec64b9115e51c SHA-1: 167ae505331f692ef3a4b66d627b501400241815 SHA-256: a2aa1532030f07fd63ed49ada6e4ab3064ec7cb632fa08d1aef41626e6621e45
224 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links pointing to known malicious redirector infrastructure, specifically 'dafemum.ru', which is used to distribute malware. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and the ML classifier strongly indicate malicious intent. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create malicious PDFs. The presence of a password-protected archive lure suggests an attempt to bypass security controls.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=windows+10+allow+blank+passwords In PDF document text
    • https://cdn-cms.f-static.net/uploads/4495531/normal_5fd6f29a0e6c0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376858/normal_5fedd3ef26494.pdfIn PDF document text
    • http://zikuwojanubeg.iblogger.org/39003780715.pdfIn PDF document text
    • https://cdn.sqhk.co/kefexunas/Zjj4jSn/63389062542.pdfIn PDF document text
    • https://cdn.sqhk.co/sebuwemid/ec17PMS/classic_games_arcade_emulator_mod_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/ribobujir/djeKhbu/87351559584.pdfIn PDF document text
    • https://cdn.sqhk.co/dolitife/hi2giiL/66529410882.pdfIn PDF document text
    • https://cdn.sqhk.co/radofufalam/fibht34/difugebadenikojasade.pdfIn PDF document text
    • https://cdn.sqhk.co/dasisogi/DjdLLfd/85120150860.pdfIn PDF document text
    • https://cdn.sqhk.co/zogobadakedu/hiihU7j/kewonotujizobem.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://wugorasu.rf.gd/tavuluvabozat.pdfIn PDF document text
    • http://niworojuxine.rf.gd/96984289129.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9a4337b-f0ff-463e-9084-487175af4102/traktor_s4_software_download_crack.pdfIn PDF document text
    • http://xeziribosivamis.epizy.com/20341652340.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/995ca2af-dcdd-40d4-bdca-bd1da4313777/73937443549.pdfIn PDF document text
    • http://lepugip.epizy.com/ragdoll_cat_colors_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/daac92de-2514-4a20-b8ab-73cee44ad719/should_i_still_take_sat_subject_tests_2020.pdfIn PDF document text
    • http://zatejufeg.rf.gd/68930500984.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b111330-4a51-46cd-8cb7-24922b517adb/unity_change_asset_download_location.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA1F 5456 bytes
SHA-256: dd72fc0faf98e813ea980c70a116a232b2cc1263c42f4e717ea048d29b358f4e
font_01_sfnt_off0000fcd3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCD3 10320 bytes
SHA-256: 015bba970fc342a29a2c9caa530adbb64ef2df695de85332582fb0314fd57f93

Open this report in the interactive analyzer, or submit your own file for analysis.