Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbd82b22f42a1249…

MALICIOUS

PDF

79.5 KB Created: 2021-05-06 10:09:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b0f4f0b5cdb2e7ecedf489ab93bfe3d SHA-1: a7b121098221db1a1b75f3bc77dda54123c9c16c SHA-256: bbd82b22f42a1249b0856d32e3495a66ea864357ecf27ff389465812e66ccf7b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, suggesting a link farm or SEO manipulation tactic. One of the embedded URLs, 'https://dafemum.ru/strik?utm_term=rudram+namakam+chamakam+benefits', is particularly suspicious and likely leads to malicious content or a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=rudram+namakam+chamakam+benefits
    • http://uose.xyz/the_sandman_movie_1991qsppz.pdf
    • https://cdn.sqhk.co/vanewano/hepesDQ/vetumaziwepijowewave.pdf
    • https://cdn.sqhk.co/dokukavifig/edhigif/fastest_bowling_in_cricket_history.pdf
    • https://cdn.sqhk.co/fosojatesog/0hbhZhc/biwalapizowibidaje.pdf
    • http://ita-yog.space/2_player_soccer_car_gamesm9h93.pdf
    • https://cdn.sqhk.co/jututumogu/ekjeiis/issa_22_pew_pew_pew_gif.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/f12ecc63-762d-4a7a-b36d-b9d131bc6aeb/how_do_you_unlock_a_locked_honeywell_thermostat.pdf
    • https://1fd079ea-3156-4ae8-a0b4-6153e0b529c5.filesusr.com/ugd/e66bf7_e49734d7e2274409844641bed9694be7.pdf?index=true
    • https://c7bff75e-0a19-4817-9d47-fca4cf08161b.filesusr.com/ugd/3b6424_dc1f07cec0634851b0228ec44739a304.pdf?index=true
    • https://ec451167-49e0-489e-a150-d7dc0ecf9264.filesusr.com/ugd/fe0276_42286d7472ff4012b099b8bb011922f3.pdf?index=true
    • https://770603ce-cae8-48b7-b4e8-6e15b9dac1cd.filesusr.com/ugd/e975af_805caa98bbc4470bbc444867431134d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0b0e9a5e-6aa4-4bd4-8bf7-4b82f15bb9cd/wasumokavusejodononevog.pdf
    • https://86042ffc-9b62-460b-8552-fb2522205a17.filesusr.com/ugd/4f92c1_cf0a3678f1374c55b517a69b355b9cb4.pdf?index=true
    • https://0e733887-fd72-4d21-8b10-0a39cafbc931.filesusr.com/ugd/1e4d10_95db7424599e473fb2703a7673b55af9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/20705ba9-1699-496a-9cd4-87a4d3ecc8ed/how_to_adjust_shoulder_straps_on_evenflo_symphony_car_seat.pdf
    • https://uploads.strikinglycdn.com/files/5497fc9b-00ff-4249-87d6-35eb901fd34b/rowenta_handheld_steamer_cleaning_instructions.pdf
    • https://e3ba7771-1cf2-49b9-be81-d91832e8ed63.filesusr.com/ugd/bc9675_052a21cc4d234d549f88d76b97acc7e3.pdf?index=true
    • https://28932ed2-21d9-4123-99cb-fcff0aac4472.filesusr.com/ugd/cc089a_4cb68a2537624a9eaa97ee38424c21e6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb0a.bin
7622d35e49b6caa313f6630e4b8ac1e4cfb770ec8408e47d48a5a5c1816cccef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB0A 5440 bytes
font_01_sfnt_off0000fd67.bin
6be018c8eab4bc821a9baf7a0e73d3e3346dc3a1b362db64e0ec408732d9aa7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD67 11912 bytes
font_02_sfnt_off0001239e.bin
0ce280aa7b1588a7d63191cd157f9ce57a5ef49284f44ff4ba5ec14626437b4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1239E 3304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.