Malicious PDF — malware analysis report

Static analysis result for SHA-256 c60d89c3ace363c7…

MALICIOUS

PDF

78.8 KB Created: 2021-03-20 21:38:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f90e20908b37c85d76b29e13eef0f4c SHA-1: b7cd7705601a2f5b8c1f3a471a4ac57cf35d4312 SHA-256: c60d89c3ace363c726c56fe671a583197eb60d9058c8f7aad89d8a8b386ad8d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and ML classifiers indicated a high probability of maliciousness. The heuristic PDF_SEO_LINK_FARM indicates the presence of numerous external links, likely for SEO spam or to distribute further malicious content. The embedded URLs, such as 'https://dafemum.ru/wix?keyword=viking+facebook+tool+2019', suggest a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and numerous external links point towards a malicious intent to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=viking+facebook+tool+2019
    • http://fruct.space/best_spy_camera_for_android_phone274t9.pdf
    • https://cdn.sqhk.co/fazituku/eUgczZp/99116852638.pdf
    • https://pakunifa.weebly.com/uploads/1/3/5/3/135307874/bamilubokenusa.pdf
    • https://rusokupos.weebly.com/uploads/1/3/4/4/134468665/996c3881c8.pdf
    • http://cyberghost.store/how_to_make_a_ball_holder_for_garage9q4bd.pdf
    • https://cdn.sqhk.co/temazajilib/jfMfhbv/72929466530.pdf
    • https://jupavovol.weebly.com/uploads/1/3/4/3/134314217/1446731.pdf
    • https://wipasajumavadus.weebly.com/uploads/1/3/4/7/134775966/tawigojapemuk.pdf
    • http://laulu-go.ru/fagejaxas1kfi.pdf
    • https://nekusudowup.weebly.com/uploads/1/3/5/3/135315851/4540687.pdf
    • https://cdn.sqhk.co/nasonamav/HidUun3/microsoft_azure_training_sreerun_technologies_hyderabad_telangana.pdf
    • https://wutodifutatur.weebly.com/uploads/1/3/2/8/132814097/484677.pdf
    • http://itfamily.pro/jamelemewomobulexitesat39ark.pdf
    • https://velineninebag.weebly.com/uploads/1/3/4/6/134608195/6090307.pdf
    • https://cdn.sqhk.co/dupabeket/jcZLjg7/97413155345.pdf
    • http://acgmgroup.ru/android_ui_animation_library_githubisoon.pdf
    • https://cdn.sqhk.co/fugovigul/6jcjitU/doomer_boy_and_girl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1afae0f6-9e35-4dc9-9db7-5dbf78511926.filesusr.com/ugd/afe78f_f6fbc068d6a24686b1886b09a568c1c1.pdf?index=true
    • https://73c25812-7308-4b32-b985-10e2a25710ca.filesusr.com/ugd/5b604d_2b559232bf5f443d8735f90c39e8aab4.pdf?index=true
    • https://98be45bc-63b9-4117-aff7-84a3d4f2c4a0.filesusr.com/ugd/90c678_691b7bf69e0c49bc9051dea17bf64f0e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f625.bin
cf730896c25c8cab7b64985d90a6bfde61d610cdb1a1e0ab8d107189f45bef53		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF625 5424 bytes
font_01_sfnt_off000108c8.bin
e285d1e0f24c36ec9cd0f4c2e52e71eed743c8812f2f0268d0383aa7d2cc91db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108C8 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.