Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbd0488be9aa00ef…

MALICIOUS

PDF

74.9 KB Created: 2021-05-02 01:57:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ddfa66d6d80ba4e9949f2c9821544a9 SHA-1: 73a66263c67cd1649a65fbcc2b283c242c9bfc95 SHA-256: cbd0488be9aa00efe3989e90d64c5b688e4e2db1045e0611abcdfb23400d9e6a
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic indicating a link farm and an embedded URL pointing to 'fokemale.ru', suggesting a phishing or malicious redirection attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure and embedded links are indicative of a lure to a malicious site, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=lexmark+ms310+reset+factory
    • https://cdn-cms.f-static.net/uploads/4462073/normal_600f57ecacad4.pdf
    • https://cdn-cms.f-static.net/uploads/4481699/normal_60243cfee66e5.pdf
    • https://cdn-cms.f-static.net/uploads/4463532/normal_60333a4742891.pdf
    • https://cdn-cms.f-static.net/uploads/4372080/normal_606c6bfdd44b2.pdf
    • https://static.s123-cdn-static.com/uploads/4402932/normal_5ffb302f27409.pdf
    • https://static.s123-cdn-static.com/uploads/4443356/normal_5fcc1d17eb81d.pdf
    • https://cdn-cms.f-static.net/uploads/4370066/normal_603cfe134ce39.pdf
    • https://cdn-cms.f-static.net/uploads/4467278/normal_606234654178c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9f1f619f-c3b1-4710-a85d-dac0e4dcd4a4/what_is_holistic_learning_theory.pdf
    • https://uploads.strikinglycdn.com/files/b1924424-d8fa-4d95-90a8-f220c1cfec8d/coleman_furnace_diagnostic_codes.pdf
    • https://uploads.strikinglycdn.com/files/291e4b31-eca5-4166-874d-a6777911a9f3/who_killed_the_nightsisters_of_dathomir.pdf
    • https://70fbc5f3-53e4-4072-9ff7-a5862d19847b.filesusr.com/ugd/bb3bf9_c19dacec527343c8afa880290abed893.pdf?index=true
    • https://fc59733d-949e-4df9-817b-fea2515c5cc7.filesusr.com/ugd/689329_ef670c8aeae54734985d95ab3ffbb0a1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/34148ab4-233f-4625-b14d-6ea2d6345504/tofanejasapizowivof.pdf
    • https://592908bf-dd96-48cc-88d9-ffebbdd10d84.filesusr.com/ugd/f34823_eabc050f26454d35874090860efd2613.pdf?index=true
    • https://af1bea64-f5cd-41c2-a7c1-97f21c1aa057.filesusr.com/ugd/592671_824b773d31cb440eb782c2e9769902f2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/605e13d9-94cb-45f1-8d4a-3580dfcc2248/frases_motivacionais_inteligencia_emocional.pdf
    • https://5610d23c-e099-485d-ada5-1c5fec8f01b3.filesusr.com/ugd/97e063_b876dcc463cb4fa8b6a41ffa650e7ed3.pdf?index=true
    • https://b24182fa-1fee-416c-9f57-41d8a36573e1.filesusr.com/ugd/1cc367_21b4567330b94d1d8de98992082a45ae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/67507b06-0748-45b9-ac88-3291d18c8822/can_phantom_power_damage_microphone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e836.bin
872348b472f29f117eadf1ca788dce8b5945c071af2c6a84f0266c5f5f2cd2c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE836 5528 bytes
font_01_sfnt_off0000fb00.bin
8d10027e3b2f155dfe43ed4c05b7b6796d62a1e5d326af6138e55ff0ab86c6f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB00 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.