Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7947e821b40391f…

MALICIOUS

PDF

77.1 KB Created: 2021-05-25 06:41:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 63f54c637838c152d63b06c0a5535d7a SHA-1: 712d72dd0374fd9c6b34c5ceb9b8d42f49433390 SHA-256: c7947e821b40391fafa743182a53c961a904eb4b8758ff96702ba85d3bded9e6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are designed to appear as legitimate documents but likely serve as a link farm to distribute malicious content. The presence of a URL pointing to 'dugedepap.ru/strik' with a query parameter suggesting a movie download further supports a phishing or malware distribution lure. ClamAV and ML classifiers also flagged this PDF as malicious, indicating a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=download+film+dear+nathan+hello+salma+layarkaca21 PDF link annotation
    • https://zifofuxe.weebly.com/uploads/1/3/5/3/135386801/wowobositajod_sizekonupiveta_dekagizawekos.pdfIn PDF document text
    • https://wogijelagorezu.weebly.com/uploads/1/3/4/0/134096035/didosoziwap.pdfIn PDF document text
    • https://gufobigan.weebly.com/uploads/1/3/4/4/134481927/mivasoxutudeset.pdfIn PDF document text
    • https://gujavaluzosozu.weebly.com/uploads/1/3/4/0/134013303/2546943.pdfIn PDF document text
    • https://bododomeliba.weebly.com/uploads/1/3/1/4/131408614/8030081.pdfIn PDF document text
    • https://jizonuwuko.weebly.com/uploads/1/3/0/8/130814311/078647f101.pdfIn PDF document text
    • https://pizakatunif.weebly.com/uploads/1/3/1/8/131856177/9487f21.pdfIn PDF document text
    • https://fikuvigobe.weebly.com/uploads/1/3/4/5/134582673/4520132.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d82c50dd-9648-4a97-a093-bb5ea5ad346d/q_see_16_channel_dvr_costco.pdfIn PDF document text
    • https://s3.amazonaws.com/goveruduzewoxu/how_to_change_filter_on_cpap_machine.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8c311b3-9154-446f-b821-9db75e35d87e/how_does_culture_diffuse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d816199-b4a6-420b-9fd4-d36b371105a3/what_does_missing_411_mean.pdfIn PDF document text
    • https://s3.amazonaws.com/fadupazageraf/i_have_confidence_in_you_jesus_song_lyrics.pdfIn PDF document text
    • https://s3.amazonaws.com/rekawexuretowo/39097260821.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/72c8ccf2-42f3-4d4a-b085-d0da2ccd27aa/how_much_transmission_fluid_does_a_2000_ford_ranger_hold.pdfIn PDF document text
    • https://s3.amazonaws.com/davolazupivowi/76760791339.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac016346-f3b9-4dd5-bd1c-bb3c38282657/98321827687.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26b5e9a4-6d59-4cd9-946a-663aee4e5f3e/tavuguzomu.pdfIn PDF document text
    • https://s3.amazonaws.com/bejideba/git_branching_tutorial.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6215555-ccdb-489b-a06c-eaed0a3730bd/robot_vacuum_cleaner_uk.pdfIn PDF document text
    • https://s3.amazonaws.com/jazamerijekufol/fasukadekisuradu.pdfIn PDF document text
    • https://s3.amazonaws.com/kifutizijebuj/nfl_fantasy_football_2019_cheat_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/supefujoxopubu/oriflame_catalogue_october_2018_india.pdfIn PDF document text
    • https://s3.amazonaws.com/najubu/ballarat_property_group_application_form.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE8F 5704 bytes
SHA-256: 0e11a33674276c661d1be3d0c55a30aa8888b054f2b5e0f03e3473a6ee220af1
font_01_sfnt_off000101f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101F9 10064 bytes
SHA-256: 3463a3dcfda929acce9a34779b72840709a492c5bd6cc0fe6b4d9cb079f2a66f