Malicious PDF — malware analysis report

Static analysis result for SHA-256 a36bcbc385cffcd4…

MALICIOUS

PDF

74.3 KB Created: 2021-03-17 07:17:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec356fb69dfdfc299f7bd4e2166d3ede SHA-1: d4551139776d732d1d42d71cf6198899496377d0 SHA-256: a36bcbc385cffcd46b318fe3e22c6c9689bd31350b19999ae3da10753c3c2f07
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, with a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. One of the primary external URIs identified is 'https://druttle.ru/wix?keyword=ming+hing+hertford+nc', which is likely part of a phishing or SEO spam campaign. Although no scripts were explicitly extracted, the presence of numerous external links suggests an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=ming+hing+hertford+nc
    • http://pojebanidik.mywebcommunity.org/accords_mets_et_vins.pdf
    • http://xiwakaravivomik.scienceontheweb.net/nagutovidurezuxe.pdf
    • https://cdn-cms.f-static.net/uploads/4414701/normal_603ab23a3d408.pdf
    • https://cdn-cms.f-static.net/uploads/4367914/normal_600bf3c7c4e94.pdf
    • http://sutovuresas.mygamesonline.org/understanding_china_s_belt_and_road_initiative.pdf
    • http://mofonuf.medianewsonline.com/49249693700.pdf
    • http://lenulari.mypressonline.com/84400556820.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bff64e1d-66f7-41ef-8b55-b6b8c4aeee61/24182414777.pdf
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_b1f43ed586964b439228928eb0d4795d.pdf?index=true
    • https://a7563df4-ba19-4d82-a8a0-b2470d957038.filesusr.com/ugd/61f964_965fd00d9b6a462f84db686a9ec80c7b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cb26bdf2-6b1a-4a20-92e0-28293ce9c66f/what_are_tells_and_ziggurats.pdf
    • https://uploads.strikinglycdn.com/files/c5f38e4b-6506-4e2d-ade9-6fd9be8e88c8/gaggia_titanium_for_sale_uk.pdf
    • https://uploads.strikinglycdn.com/files/ff647e1d-808d-470d-abf2-eeaa31dc547d/57941725018.pdf
    • https://uploads.strikinglycdn.com/files/5ced325c-f0ba-4157-b3fd-6a7146542abc/23341381577.pdf
    • https://uploads.strikinglycdn.com/files/f2877399-4244-444f-8cb8-1bf77be38415/fuguxoris.pdf
    • https://uploads.strikinglycdn.com/files/fb44d3aa-75b5-4c38-8185-2a6f5e9eecad/what_is_a_pedal_power_supply.pdf
    • https://68358877-4ee6-4e53-94f7-4bd9665c1f53.filesusr.com/ugd/3bbd68_64b5cdce684843b8a3c79a0661c11db3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dabf8f4b-e49f-4dbd-9562-680a1f5edd7b/the_complete_manual_of_suicide.pdf
    • https://uploads.strikinglycdn.com/files/2a7a46fa-6305-4474-a03b-4c861f19f18f/wezexejofefadosep.pdf
    • http://zedowep.atwebpages.com/levomuku.pdf
    • https://uploads.strikinglycdn.com/files/4fd5ebd4-8fbc-4a66-998c-dd542c31f689/86326481343.pdf
    • https://7a579b3f-ce96-4c66-abdc-991530493d29.filesusr.com/ugd/010c6b_5c6841bfb9ef48ffa9443dc5202e754f.pdf?index=true
    • https://97783159-ced7-426e-9fbd-60d2bb3342fb.filesusr.com/ugd/00058f_d2defd0447e240f891e8f19ac40cd9b1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d2af.bin
5fccc4b93669808a911be510fa35354615011d06cae0a9a774c0ef2e9a75b465		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2AF 2828 bytes
font_01_sfnt_off0000dcb9.bin
dee859641f26f39d46e9734a94db739bf31b4d48393e837c1800ca69afd552a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCB9 4868 bytes
font_02_sfnt_off0000ed4d.bin
5eed9f27fd4a6931d5ab1e4179018837e33edc1d8ee57edd109e0d19683c25d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED4D 1768 bytes
font_03_sfnt_off0000f61b.bin
d1e5e9b478c48247e1f23efa3afca4a995173316cbcf0315bbb9f19d3fcda388		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF61B 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.