Malicious PDF — malware analysis report

Static analysis result for SHA-256 afc9f39883292fed…

MALICIOUS

PDF

73.6 KB Created: 2021-03-16 04:31:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7636c3fc463f799638f24b3e7710b512 SHA-1: 790584e561abfd356d5b2ec4974f96fa4af1a399 SHA-256: afc9f39883292fedff07578d7fc255694b69833412ac007ef969a6e84e5deaa9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan distribution attempt. It contains a large number of external links, with one prominent link pointing to 'https://pelibifir.ru/wix?keyword=missouri+trappers+rendezvous+2020', suggesting a lure to a malicious site. The document body is heavily corrupted, preventing a detailed analysis of its content, but the presence of numerous external links strongly suggests a malicious intent to redirect the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=missouri+trappers+rendezvous+2020
    • https://cdn.sqhk.co/kuxefoxo/ghgifmE/block_my_apple_iphone.pdf
    • https://vurodotug.weebly.com/uploads/1/3/1/4/131454057/kusaxinomibazujukubo.pdf
    • https://cdn.sqhk.co/zuzipogowita/hhiPZhd/how_to_loot_fast_in_dayz.pdf
    • https://zabavorurexezab.weebly.com/uploads/1/3/5/3/135314693/xojuzobusezu.pdf
    • https://cdn.sqhk.co/juvowisire/fGY73Kt/superheroes_city_mod_apk_unlimited_money.pdf
    • https://cdn.sqhk.co/zibumimuw/jhfhbxg/salesforce_email_templates_merge_fields.pdf
    • https://cdn.sqhk.co/gawagunikuw/8qErlpm/filiwexakiw.pdf
    • https://cdn.sqhk.co/dexediwiboze/hiTDig2/frog_dissection_lab_report_answers.pdf
    • https://cdn.sqhk.co/gepumenujeme/ekapCjA/27877543922.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b2fc43c4-60ab-4dc1-a1c8-84833fda4e2a.filesusr.com/ugd/37321e_f070b90df88848c6bd082cfd0517e38a.pdf?index=true
    • https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_b9811960911e40fc8cc353d2da919529.pdf?index=true
    • https://5090c2af-253d-40c3-bfb7-942fc6db26b0.filesusr.com/ugd/0511f5_d7c0ce0bc61d4e4995268a5e05bfb429.pdf?index=true
    • https://0502d5d0-a0f5-47b8-bc1c-644c46e4e431.filesusr.com/ugd/6cabbb_c2d7b57b4e414c31a8e5f5ba6cd7f081.pdf?index=true
    • https://9e705916-5bde-4eb8-be9b-8b3e910fbaf8.filesusr.com/ugd/c7a620_4aac773b56b44be987b01becfaaa864d.pdf?index=true
    • https://6f2fb29c-15f2-4b08-b525-3eb91a7f0a41.filesusr.com/ugd/c3548c_6c1ed87e92c04b09a021a0219a4572ee.pdf?index=true
    • https://s3.amazonaws.com/nitajosasa/eastwood_bead_roller_forming_dies.pdf
    • https://s3.amazonaws.com/kuxuxemu/meramec_springs_fishing_report.pdf
    • https://02aee961-309f-4c8b-9790-08f12c26706e.filesusr.com/ugd/8321db_dddeee7dd1e346269fc3223bb28811ed.pdf?index=true
    • https://s3.amazonaws.com/fasudikek/88708000616.pdf
    • https://1b65b899-5fad-42bd-af9e-a3fb1d6a4c80.filesusr.com/ugd/a2ebd8_7c52c846458448ff8fd464185869f04f.pdf?index=true
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_b6737f0dd05f41d0b04703634d5c4965.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df9a.bin
7989bcda8716b56d89906e35f143c1194380768daac0e571470d45cfc1c4ed75		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF9A 5308 bytes
font_01_sfnt_off0000f1ce.bin
6f453f702df9f696335cabe2ce94e08736c93ca797970dd50d507039326a219d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1CE 11236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.