Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5fa67dc6c6df223…

MALICIOUS

PDF

377.3 KB Created: 2021-02-26 18:13:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 4300d88893674edaf2abcdb470f931c3 SHA-1: 8c1007b8b4bbb64d50d8069b1465d273d2a5a74f SHA-256: a5fa67dc6c6df2234a9f19830b9e72103ed6c84bb82088286dc2c7a7eacacfb7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating a malicious redirector link to dafemum.ru. This, combined with numerous other embedded URLs pointing to potentially malicious content, strongly suggests a phishing or malware distribution attempt. The ClamAV detection further confirms its malicious nature. No scripts were extracted, but the presence of malicious links is sufficient evidence.

Machine Learning

  • Nyx PDF Classifier clean score 0.0241

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=kitchenaid+superba+oven+model+number+location In PDF document text
    • http://cloudmarket.website/dobowuguvobuxevidejefp3vzu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467573/normal_601f1694d8626.pdfIn PDF document text
    • http://sevagawos.getenjoyment.net/libro_completo_colorin_colorado_este_cuento_aun_no_ha_acabado.pdfIn PDF document text
    • https://cdn.sqhk.co/jatizaru/bijgiR0/bonimokitagexenubidutobej.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4473056/normal_5fc67b5882cd2.pdfIn PDF document text
    • https://cdn.sqhk.co/tavikalamo/dMRkie1/wild_wolf_simulator_3d.pdfIn PDF document text
    • http://ses-sanobrabotka.ru/zoomer_dino_directionshmg1c.pdfIn PDF document text
    • http://forajadafogaxuv.medianewsonline.com/nghe_doc_truyen_khi_dong_minh_nhay_vao.pdfIn PDF document text
    • http://zobotalemogi.sportsontheweb.net/relion_confirm_meter_manual.pdfIn PDF document text
    • http://pazujiz.mygamesonline.org/socratic_questioning_strategies.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466366/normal_5fd85d5576ff5.pdfIn PDF document text
    • http://pl50off.info/77020330493saita.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387929/normal_5fde5dd1a3e49.pdfIn PDF document text
    • https://cdn.sqhk.co/nilesatu/LvBjfie/canzone_italiana_piu_famosa_nel_mondo.pdfIn PDF document text
    • https://nevipezuke.weebly.com/uploads/1/3/4/6/134652321/lepavawe.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4444377/normal_5ff41b5b41ac8.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
    • http://www.geocities.com/dnhhngIn PDF document text
    • http://scripts.sil.orgIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text

Extracted artifacts 23

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0002e900.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E900 18348 bytes
SHA-256: 6c7b6ae01b4edc0cc0d0901fe21b9f948d72ad947408dbeabf1e704aae877c9f
stream_010_off0003cb8f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3CB8F 9124 bytes
SHA-256: 4466a4fb60d80306be3d511ce4b2ba57af7372bcad10986719a71c1337a1f6a1
stream_012_off00040207.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40207 10224 bytes
SHA-256: a6a2816da674c1093f5f83187c4c1f3207f9094ad716c30c2dba5d9758c4f85d
stream_014_off000434a6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x434A6 40616 bytes
SHA-256: 7601649ba470f0195d71f7c9b6e048646afcd2e7ea503352015ba6f695597471
font_00_sfnt_off0002d627.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D627 4996 bytes
SHA-256: d95b7f6a76290bef5aac28f91d1b609445065cd3a3c04d6f411be22668855aa9
font_02_sfnt_off000319a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319A1 7612 bytes
SHA-256: e0010bfdc59c54d417cccbc5c87baec0302f2bb1a470a3fd54762e7754e29588
font_03_sfnt_off00033386.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33386 49204 bytes
SHA-256: 6eca35eb5d8d872691784f454a5791405ea9f9a1fa7f5da4f3829ab717b3c249
font_04_sfnt_off0003a570.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3A570 5480 bytes
SHA-256: 08c8de2abf8934b651740672f53a7f31fd1bb4f23471530d115937860059d4ab
font_05_sfnt_off0003b7ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B7EC 5508 bytes
SHA-256: 3bd941264df133123cb8ae96166b3679cdcc76579e0617a5e5a36de667a64773
font_07_sfnt_off0003ea34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3EA34 8724 bytes
SHA-256: 5506121bb4c6d82bd9d1091fe9bd80e63aabafd985f544adaff712d6498151ee
font_09_sfnt_off00041fe0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x41FE0 6040 bytes
SHA-256: ec462c9ad66c8aaa642f0f1b74a3a8fbc903582611dda65580d865348d1911e4
font_11_sfnt_off00048b8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x48B8A 3560 bytes
SHA-256: 8e77b3c547da761ed5654b30b9c3b6a6bc2c4684a13f2e1bc72792d246111fde
font_12_sfnt_off000497e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x497E6 9240 bytes
SHA-256: f60269b95179193a380322bc8b3be63a0263703b7cb0e476592c2cfe01465cdc
font_13_sfnt_off0004aeed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4AEED 9600 bytes
SHA-256: 02b430b7f15bfac427c5aff21afbb413de2cf0a94ed13bda1a795188d71bf729
font_14_sfnt_off0004ce2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4CE2C 5172 bytes
SHA-256: a5d2b426e748de1835db9a36efbf9146d6d6e4ca491cb342a6dbf474d83c4a6c
font_15_sfnt_off0004dfde.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4DFDE 14356 bytes
SHA-256: dda46009efd11581aa5b412d48a4c4d1bc650edd28129de75eb452e68841e984
font_16_sfnt_off00050390.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50390 14704 bytes
SHA-256: dddf2a86b5d862c76f4dc46275956d7c3ca166b0805de7b88370651730384613
font_17_sfnt_off00052813.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x52813 6888 bytes
SHA-256: d3cb25a0feb51884d0562daad88174d77113c88cce114e40fb47194bcf3e67b4
font_18_sfnt_off00053e9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53E9C 8376 bytes
SHA-256: 0c088045e9371a0c3d1a4b64ddf3308536252941af68f1d1dc71ff9c297cb67c
font_19_sfnt_off0005585e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5585E 2128 bytes
SHA-256: b63151499f84075f523becad931680bd07bc2b1fffe30179fff6cb665cd1a901
font_20_sfnt_off00056179.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x56179 19468 bytes
SHA-256: 12a2fbfb49316a14eea64e59177a779eec94429f502d657d14ebd01ad31dbe4d
font_21_sfnt_off000594b9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x594B9 8540 bytes
SHA-256: 05c7330eb3be68aa9beee8299bb28d46510fb1a2865732cc10a8a5509ce13cbd
font_22_sfnt_off0005ad66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5AD66 14120 bytes
SHA-256: a8833f3a140da6aace23818751ab903da29bebca053ba79dfd861b96634dbae9

Open this report in the interactive analyzer, or submit your own file for analysis.