Malicious PDF — malware analysis report

Static analysis result for SHA-256 caaf7ba1ea1da1df…

MALICIOUS

PDF

78.3 KB Created: 2021-04-01 13:00:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db7204f784f1012bae1eef900de98ef4 SHA-1: 22fafc0ee23c6a065ab0f44956c7426816ce8e01 SHA-256: caaf7ba1ea1da1df7aa3cd64afee690ffe7a588245ad362ebf6fb419c6f2bb33
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO spam or phishing. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, and the 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics confirm its malicious nature. The embedded URLs suggest an attempt to redirect users to potentially harmful websites, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=monster+park+cheats
    • https://buzijivugaza.weebly.com/uploads/1/3/4/7/134709386/f4533d76681d20.pdf
    • http://jitokinut.iblogger.org/fejunanasaperefijixivaded.pdf
    • https://kofovozeregom.weebly.com/uploads/1/3/4/3/134313602/763f41ca91c.pdf
    • http://sunipemumax.66ghz.com/99220153615.pdf
    • https://xadigepuve.weebly.com/uploads/1/3/1/4/131454317/pemetejidibam-xukifijonowe-labapopilukoduj-fesetigazedupep.pdf
    • http://dipurenirexo.22web.org/adaptavist_content_formatting_macros_license.pdf
    • https://mivujekosos.weebly.com/uploads/1/3/1/6/131637271/0e5b2eb514e30da.pdf
    • http://lebanage.iblogger.org/97026138124.pdf
    • https://dodarumobite.weebly.com/uploads/1/3/1/4/131437296/ef5885a36.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://19e6fc83-c281-4d06-93fd-e8b16a02b90a.filesusr.com/ugd/ce5d00_44bca9b5e012450da8dd8675c59b640c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f9906d01-45ca-4d67-9cfc-93bbab4fa5e1/survival_kits_for_sale_nz.pdf
    • https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_c6ad880f432b4c03949ebc28c8d6f0c0.pdf?index=true
    • https://6afed14e-2b01-442b-8c2e-11a8a6f39965.filesusr.com/ugd/46a5ae_cb7ecbd1135040daa5d33723af375ae3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ac889abd-9009-4d70-b625-333822ae8df1/xojepuminileribomiwu.pdf
    • https://uploads.strikinglycdn.com/files/037658d0-4d1e-426f-8f03-ac4152b44c9d/gta_5_ps4_online_edition.pdf
    • https://uploads.strikinglycdn.com/files/32539e6f-2742-4f3f-903f-4fc1fe6e6b14/87621841325.pdf
    • http://raselitabak.epizy.com/86929956394.pdf
    • https://uploads.strikinglycdn.com/files/efebf18a-72ee-4df2-9939-49c013c75f71/31194668565.pdf
    • https://9d349da1-218b-4b59-9e37-2a90cab56d40.filesusr.com/ugd/de9003_ec5eccaaf1bc4c0aa631a7c6df95406d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d35d9122-ae5f-470a-ad0c-0dc944da3782/side_by_side_third_edition_book_2_activity_workbook.pdf
    • https://uploads.strikinglycdn.com/files/2a4eb201-91fc-4c7e-9bb4-67d8a26385a7/zatodusukubas.pdf
    • http://bigerubuseke.rf.gd/19062353510.pdf
    • http://kutezowifemiwe.epizy.com/cake_design_app_android.pdf
    • https://uploads.strikinglycdn.com/files/29f873de-621f-4f2f-9bc5-436aae521e05/96969818403.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f443.bin
f4c171efb4e689cab7cc2ddbad9b43b8ead7b5e765d477b77d6e3d4e46005048		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF443 5056 bytes
font_01_sfnt_off00010577.bin
e389c3be4ac2d77df8d05e4c6d45c1319a647af57c35bf84fa64248cfdc834ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10577 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.