Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1634313563d02fb…

MALICIOUS

PDF

76.3 KB Created: 2021-04-08 00:46:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fcedb546cd4f9aeee32388ec64c604c SHA-1: 2559ab3bb2977bbd66035ab5b71eb9de9f94f0af SHA-256: c1634313563d02fb2f4a9775c7305e97bf8ab124be7d495081935aa76e2eaf79
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying a link farm pointing to 'http://weraka.online/312995222122bd0j.pdf'. The document body, though heavily corrupted, contains text related to 'free fire battleground apkpure', suggesting a lure. The presence of multiple external links and the ClamAV detection indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=free+fire+battleground+apkpure
    • http://weraka.online/312995222122bd0j.pdf
    • http://digtalcaliper09.xyz/non_probability_sampling_designyapk9.pdf
    • https://nukawidizuzaxep.weebly.com/uploads/1/3/3/9/133997642/wosav_barivofizin.pdf
    • https://xasukibumit.weebly.com/uploads/1/3/4/7/134749231/8169245.pdf
    • https://vebexedupatad.weebly.com/uploads/1/3/2/7/132740253/cc5db03d.pdf
    • https://zefojakafi.weebly.com/uploads/1/3/0/7/130776787/lekafowenamev.pdf
    • https://tateleref.weebly.com/uploads/1/3/5/3/135322569/003f7a.pdf
    • http://shtangelkipokupkiitd.online/bozolefas1zfoq.pdf
    • https://xaxazusilu.weebly.com/uploads/1/3/4/7/134757455/9201393.pdf
    • http://kosamaritaj.getenjoyment.net/lymphatic_system_marieb.pdf
    • https://detubutil.weebly.com/uploads/1/3/5/3/135348338/6c684d849d6.pdf
    • http://rerulekoba.66ghz.com/fipivo.pdf
    • http://uaportal.site/xatukeledutehausd.pdf
    • https://dawawasokiju.weebly.com/uploads/1/3/1/4/131408838/3648223.pdf
    • https://zotexujefu.weebly.com/uploads/1/3/4/3/134322023/d25a75a9.pdf
    • https://dikasawo.weebly.com/uploads/1/3/5/3/135349802/65e028e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://305aa2e3-e1d2-413d-aa2e-f1bb83d03ded.filesusr.com/ugd/92ee2b_eca5eea4b6404dbdb957f8cc794063fb.pdf?index=true
    • http://rotirokarovul.rf.gd/zemaso.pdf
    • http://rulamiji.onlinewebshop.net/affixes_and_suffixes.pdf
    • https://b615eccc-4413-4b1d-8109-ede925130a83.filesusr.com/ugd/0994f9_44c3ffd4c4cc4485be6cc584b0ee246b.pdf?index=true
    • https://2e21b658-2967-4279-8f18-a03590b678a5.filesusr.com/ugd/f5e1b2_7847a29bc1de468bacff9914c3a5869e.pdf?index=true
    • https://4c72699b-aa2e-4dc8-8bd5-1a54e8f938a6.filesusr.com/ugd/f3cb45_956a02ff9b6d4e6bab3aad44c4517387.pdf?index=true
    • http://gakilasefit.myartsonline.com/53277047792.pdf
    • https://02314edc-d025-420b-9d62-795437f25c47.filesusr.com/ugd/4f0fc1_65ed8d3865ea4551943340a3032fa8d0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea94.bin
c882a958a7dc5ae446cdf5275caaec198a31218c96656fc148e67321ae500b22		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA94 5188 bytes
font_01_sfnt_off0000fc4c.bin
69c1db811b3569d457812782aa9c46da4187207403d48e62cb9e8fe2c807b948		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC4C 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.