Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc0dc86c12983850…

MALICIOUS

PDF

82.9 KB Created: 2021-04-15 07:50:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8900ecb19f4561116eb75da663a74a17 SHA-1: d5422a0e5cba8f84c3e253f2331ddae5cc8a4102 SHA-256: cc0dc86c12983850d5092e083c80d584931d7cca5c29636bb6cf3fd0ebeebce9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or redirection scheme. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware distribution. The document body, though heavily obfuscated, contains text related to search queries, suggesting a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=is+marley+a+boy+or+girl+name
    • http://bifozitixexidad.mygamesonline.org/vuguduxuxaz.pdf
    • http://muwiduvepobuz.mygamesonline.org/revidojebemitaduzukozab.pdf
    • http://vixegoxufareka.getenjoyment.net/maslow_s_hierarchy_of_needs.pdf
    • http://lozejebivo.scienceontheweb.net/5082025899.pdf
    • http://maxirem.mygamesonline.org/cognitive_biases_poster.pdf
    • https://lumozumaxovoj.weebly.com/uploads/1/3/5/3/135348549/68b22147e9aa564.pdf
    • https://tikedamo.weebly.com/uploads/1/3/1/4/131453682/toxoz-wekolenotoleg-kejumaboj.pdf
    • http://pixunune.sportsontheweb.net/is_harry_potter_on_amazon_prime_video_uk.pdf
    • http://mofemaruwek.sportsontheweb.net/dutujomaluxevojitagepixa.pdf
    • https://ripukalogud.weebly.com/uploads/1/3/4/3/134391837/0144fa.pdf
    • https://pedidifapa.weebly.com/uploads/1/3/0/8/130874671/folose-pujidudopagawo-mamovikemepu-woguziwis.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f98f40d2-b649-4e6b-99af-b89bbf2331ff.filesusr.com/ugd/724bd4_b1ab602eb9fd4f3b8824f5fcbdd4f585.pdf?index=true
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_f24fb02fb58e4241bad9d9a6be3cfb14.pdf?index=true
    • http://gipebevu.atwebpages.com/wonedepusopekebe.pdf
    • https://d5e9a058-cbdc-4968-ba72-30cdbf1e36a3.filesusr.com/ugd/9cfd0a_5c2d3f2ab65f40179c405adef631b2d8.pdf?index=true
    • https://aa514bbb-a96e-4bc9-8ff3-0ca2edd1104f.filesusr.com/ugd/3fc21f_ef9ce7c2a27d4114897efd5643255daf.pdf?index=true
    • https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_69ad007e302a47d2b89ceb5ad2286250.pdf?index=true
    • https://8ac5c8e1-9174-427d-95c2-90bebb9f105a.filesusr.com/ugd/44b221_3db3b7a161b2446ea2a27cb8e7d6de74.pdf?index=true
    • https://f9fc249e-2e6a-4908-9eb0-88005465a50d.filesusr.com/ugd/2530ee_c059952fbb0a4bb696ae9ac0b8620020.pdf?index=true
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_79ca6476bced4882b1c48c63d1dd9eee.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000107b3.bin
c862b7e93b18a8b9c008354cfc4553060a856b636345b6920341f409fb81e0d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107B3 5184 bytes
font_01_sfnt_off00011947.bin
2772cd8fb9f0dab6b16317b5f1dfeeeaf7152e2029a1bb92bd858c236ee381f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11947 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.