Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6fd524dd60db34f…

MALICIOUS

PDF

110.8 KB Created: 2021-05-28 16:45:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: f16775b17da504fec48f50d2f0260044 SHA-1: 5493903e61c909dea8bd2e3e2a5659e1d2f5d769 SHA-256: a6fd524dd60db34f396f15c88dd5ef2dd49502a194f26d3d824acf125ac538ad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many pointing to PDF files hosted on various platforms, suggesting a link farm or distribution mechanism. The primary URL, 'https://kuzutuzo.ru/strik?utm_term=letters+from+rifka+full+book+pdf', indicates a lure related to book content, likely to deceive users into visiting malicious sites or downloading further payloads. No scripts were extracted, but the PDF structure and extensive external links strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=letters+from+rifka+full+book+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4482002/normal_5fed52e64a7e4.pdfIn PDF document text
    • https://vetidemilutuzu.weebly.com/uploads/1/3/4/4/134492936/333a1f1791d3.pdfIn PDF document text
    • https://gokokunebede.weebly.com/uploads/1/3/0/8/130874183/9819275.pdfIn PDF document text
    • https://nugezufetewivu.weebly.com/uploads/1/3/4/5/134598593/6682774.pdfIn PDF document text
    • https://sidatotivokusud.weebly.com/uploads/1/3/5/9/135959985/romijerisa.pdfIn PDF document text
    • https://keminugugenoxag.weebly.com/uploads/1/3/4/3/134321568/e387ab4ad.pdfIn PDF document text
    • https://fowowudajij.weebly.com/uploads/1/3/5/3/135312379/sufukiv-bitefowitenir-bojoxaralemusim-tuvupetewujedex.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4462339/normal_5fe5ebba5b301.pdfIn PDF document text
    • https://guvikaki.weebly.com/uploads/1/3/4/5/134519546/775da6da13.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423171/normal_6003e995e247b.pdfIn PDF document text
    • https://rigavedisibabaz.weebly.com/uploads/1/3/4/9/134902328/837720.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413110/normal_6060fa03de0fb.pdfIn PDF document text
    • https://ginegumogigoxi.weebly.com/uploads/1/3/2/8/132816185/foxolosabubuvivu.pdfIn PDF document text
    • https://xukokamil.weebly.com/uploads/1/3/4/3/134317204/1399466.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369663/normal_606da09c9e66b.pdfIn PDF document text
    • https://losasogewago.weebly.com/uploads/1/3/1/4/131437886/3034700.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486037/normal_60172d19280a2.pdfIn PDF document text
    • https://nodimawajovuri.weebly.com/uploads/1/3/4/4/134431691/5141577.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484990/normal_5fc860a01b544.pdfIn PDF document text
    • https://togajakuro.weebly.com/uploads/1/3/1/4/131409127/tifuvudixe-lawifov-gaxutemuzedup-nisukokofori.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013cbc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13CBC 9652 bytes
SHA-256: b3cbb0e4f60306c64c6663e6d616a2c5f50d1296fc4cd55cdd3fff7abe6bb1b6
font_01_sfnt_off000156fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x156FC 5332 bytes
SHA-256: 231c5d44febe7fae2a617463f90c72009469aaef92eb7f18d42da2c6fe2d32fc
font_02_sfnt_off00016903.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16903 13652 bytes
SHA-256: 8733e69b0fb3306a5a898bb789af22249266b12e60182899dd6e11b256a6d070
font_03_sfnt_off00019572.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19572 16300 bytes
SHA-256: 36324b18f66c7dab6ac35cbf3855fe2f530c1ac6468d9ff2e84319ae6b5e0fc2