Malicious PDF — malware analysis report

Static analysis result for SHA-256 c77611a0d54d99c5…

MALICIOUS

PDF

79.5 KB Created: 2021-03-25 04:02:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60a4da7c448e9629ba5953bc0860c603 SHA-1: 4fe0ada9b2daec6f325929a0ba9cd35f00a36c39 SHA-256: c77611a0d54d99c5c1daf1183e457c7ccf0e6441692d362efda901aba5959908
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains references to 'Uri the surgical strike trailer pagalworld', indicating a lure to attract user clicks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=uri+the+surgical+strike+trailer++pagalworld
    • https://static.s123-cdn-static.com/uploads/4490265/normal_6008115817dfe.pdf
    • http://mevukavotidu.getenjoyment.net/89811610339.pdf
    • https://static.s123-cdn-static.com/uploads/4452169/normal_5fc5819cbf007.pdf
    • http://natezaka.iblogger.org/beiimaan_love_movie_300mb.pdf
    • http://gokawojop.scienceontheweb.net/display_base64_encoded_in_html.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_cfed55b1bc2e44b5aed584ef3ffde9cd.pdf?index=true
    • https://a9b7993f-6967-48c1-a2c3-d5bc86fe985f.filesusr.com/ugd/ea2be3_3572516786b64614a71ea27328d3cb89.pdf?index=true
    • http://kavezusi.onlinewebshop.net/2432892932.pdf
    • https://df9240ce-57b4-430e-a582-521170ca5232.filesusr.com/ugd/10b03a_0b3409201a4c46a7a6f398d1bca36f97.pdf?index=true
    • https://c0e8410b-c394-4b36-8083-179878a46647.filesusr.com/ugd/d4b1dc_44a7a1b544314ee39929b77ce0b8ade5.pdf?index=true
    • https://0aed7b51-d02b-4864-a6bb-b478bb809667.filesusr.com/ugd/fbdaab_b7055928f72c4534a4691cf009a03956.pdf?index=true
    • https://7aff118d-26f6-4d76-9bc9-1838009e7274.filesusr.com/ugd/f80014_11ccc14a6836474ea78499463848fb2c.pdf?index=true
    • https://777dd155-384c-4f1d-a337-8f27b94bb056.filesusr.com/ugd/1ecdae_fe40eff3992d4708bb3309fea3cfb361.pdf?index=true
    • http://vulawogini.rf.gd/ajax_javascript.pdf
    • https://21d44941-995c-48b9-956b-8145330e20d5.filesusr.com/ugd/577b75_4476cb5946254069ad8d58c6105fe8a0.pdf?index=true
    • http://varupijijajeb.rf.gd/how_to_thank_a_board_member.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00011a3e.bin
3e83ed34eed6e00b015c5f7122b22db12e0780c24717658958273b2a41147fb0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11A3E 16540 bytes
font_00_sfnt_off0000e4ef.bin
6a5d916455bb7dbf40c44dc22f352895f388a3226a02a82e2706fb0f8ff72eaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4EF 5480 bytes
font_01_sfnt_off0000f7a7.bin
c4507d0f5ec5fdb679d67de1a53b66334bd05020dc5f9683b73a3a68b40478ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7A7 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.