Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1caa360a3ff701a…

MALICIOUS

PDF

75.6 KB Created: 2021-03-05 10:24:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 191fdfd7e99e25be0d29518af5ee80a4 SHA-1: 52c1577823ab9d7d52b4a0a15d637a43b46cdcce SHA-256: c1caa360a3ff701ac7ad11551bf8a9a978d4c5e3aacacc527d0f907d28da939d
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious redirector links and is flagged by an ML classifier as malicious. The embedded links, such as https://dafemum.ru/wix?keyword=tv+guide+quad+cities, are designed to lead users to potentially harmful sites. While no scripts were explicitly extracted, the PDF structure and link analysis strongly suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=tv+guide+quad+cities In PDF document text
    • https://cdn-cms.f-static.net/uploads/4491686/normal_60388abc46b3a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489264/normal_602433741434c.pdfIn PDF document text
    • https://xamatetafuxu.weebly.com/uploads/1/3/1/6/131606968/4779808.pdfIn PDF document text
    • http://mifuvaxikibowi.22web.org/23802121866.pdfIn PDF document text
    • https://siwurarililoto.weebly.com/uploads/1/3/1/4/131453181/vibejokugamizuj-zolumuj.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469638/normal_60257d21c2e4c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469827/normal_601e6fc013dcf.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gedonisezif.epizy.com/new_books_by_diana_gabaldon.pdfIn PDF document text
    • http://wekidezeze.epizy.com/nilagapumigemepofufiwezi.pdfIn PDF document text
    • https://2c5a832e-93c4-4ab0-bef0-969ef348d747.filesusr.com/ugd/cc5daa_8d4f6405f1484f4f8dbd7e18614b9fd1.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/seriposuj/42151173908.pdfIn PDF document text
    • http://sozanizitug.epizy.com/how_to_find_dialog_sim_location.pdfIn PDF document text
    • https://s3.amazonaws.com/pisik/dojapebizigijowizemola.pdfIn PDF document text
    • http://gewumene.epizy.com/48265573262.pdfIn PDF document text
    • https://6d5fec37-5936-4ae8-8938-03a86e982f09.filesusr.com/ugd/d4da64_580bb4b4a22f403bbb9aa02445bfd32c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lulelepese/take_me_on_encounter_ost.pdfIn PDF document text
    • http://nosifunugiwes.epizy.com/29541253982.pdfIn PDF document text
    • https://9764c975-acb6-4bd5-a3ff-b1f4624bc9bc.filesusr.com/ugd/5bcb7b_23ae1db132854308be5df3789b5c9b1a.pdf?index=trueIn PDF document text
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_097f12fcf0e640f08d4a89ab939d32fe.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/baxunaf/sgs_chain_of_custody.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb0d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB0D 5112 bytes
SHA-256: 29d78f9f3624d3d8b4a3a0a2af430db0b6475b97562b90e4f893c2d3b772dd8a
font_01_sfnt_off0000fc86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC86 10768 bytes
SHA-256: 36f20211b8ba9decb7d3103fc1c835373412fc928b7b9e8d036e26818445d970

Open this report in the interactive analyzer, or submit your own file for analysis.