Malicious PDF — malware analysis report

Static analysis result for SHA-256 c880aad82308faf4…

MALICIOUS

PDF

77.5 KB Created: 2021-06-01 00:04:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 34a4c79d0733d6ef19655e42617462ee SHA-1: 33cc3abf26e3821737cc6e5078d74965f679770c SHA-256: c880aad82308faf4c2e5d1a854e47e40d1c1dcf0fca24bb88308ece98e9492f7
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of a phishing lure, specifically designed to harvest credentials or abuse multi-factor authentication. The presence of numerous external links, including one pointing to `allytemp.ru`, suggests an attempt to redirect users to malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to credential theft.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/pbw?utm_term=how+to+fill+anganwadi+form+online
    • https://jakidanumamew.weebly.com/uploads/1/3/4/8/134881834/ladutelixed.pdf
    • https://xenofoko.weebly.com/uploads/1/3/4/7/134735933/wajizalegekedemaw.pdf
    • https://xufujakuzizam.weebly.com/uploads/1/3/5/3/135315974/17c68a0aced94e3.pdf
    • https://xoxigukot.weebly.com/uploads/1/3/4/8/134861038/8115248.pdf
    • https://kiretadipul.weebly.com/uploads/1/3/4/0/134040802/2757231.pdf
    • https://bunonosuvon.weebly.com/uploads/1/3/5/9/135976801/mebuzifelur.pdf
    • https://folumenudi.weebly.com/uploads/1/3/2/6/132681426/xoganabuludili.pdf
    • https://lumixomenuvaw.weebly.com/uploads/1/3/4/7/134745504/d23bd.pdf
    • https://xukaxibuban.weebly.com/uploads/1/3/4/7/134701669/ruserala.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/17d790c8-7c61-4f7a-9de4-0cf0fb58c962/skyrim_best_mod_list.pdf
    • https://uploads.strikinglycdn.com/files/807515b5-4736-4766-893a-6ef0c91e939e/lefenat.pdf
    • http://niwomif.pbworks.com/f/la_la_land_main_theme_piano_sheet_music.pdf
    • http://zepadatoju.pbworks.com/f/thai_jashe_movie_download_link.pdf
    • https://uploads.strikinglycdn.com/files/d56d3144-db25-4058-9aa6-9719a756e2db/lusosidexogixewawunegazos.pdf
    • http://jajafad.pbworks.com/f/xirefipef.pdf
    • https://uploads.strikinglycdn.com/files/c0b633f6-3687-46e1-be40-9948ecbc7c04/gokuwosujawinub.pdf
    • https://uploads.strikinglycdn.com/files/563137a2-0378-4907-a0e4-874dad333458/larry_lea_prayer_outline.pdf
    • https://uploads.strikinglycdn.com/files/e3be2de7-a7e4-4bfb-9047-40c555ff3c94/zixugojuwemugejizosiloke.pdf
    • http://garigor.pbworks.com/f/grams_to_kg_worksheet.pdf
    • http://sewafebi.pbworks.com/w/file/fetch/144426363/xobasabobiwukodetaluwa.pdf
    • http://xedidovetaw.pbworks.com/f/cats_the_movie_cast_2018.pdf
    • http://zepadatoju.pbworks.com/w/file/fetch/144425181/how_to_fix_keyboard_keys_typing_wrong_characters_-_windows_7.pdf
    • https://uploads.strikinglycdn.com/files/b2829e0f-23fe-4c13-a618-cce35320f5c3/beautiful_creatures_2013_dual_audio_720p.pdf
    • http://lekuzax.pbworks.com/f/laletetaj.pdf
    • https://uploads.strikinglycdn.com/files/98fe65a9-2d11-4438-af38-dc49790ff38c/rock_band_4_downloadable_songs_2019.pdf
    • http://vowujepojez.pbworks.com/w/file/fetch/144428172/2003_jeep_liberty_sport_fuse_box_layout.pdf
    • https://uploads.strikinglycdn.com/files/09cd0a42-82c3-4dc2-8b3e-49554d333ac4/how_to_program_remote_for_liftmaster_8500.pdf
    • https://uploads.strikinglycdn.com/files/6f1b8dea-81a1-4bdd-9756-78493e5b827b/jodok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e854.bin
08114eb7233a41821f1d30a56e5c3dbb5d03f40584afeca5dcfabef67575f0dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE854 4892 bytes
font_01_sfnt_off0000f8e7.bin
e5a7f1c6b2dea62384dd310b45e3f960d7065f547d5f9e3b510e909e59399709		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8E7 9664 bytes
font_02_sfnt_off00011a01.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A01 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.