Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfbf5b3398febca9…

MALICIOUS

PDF

82.7 KB Created: 2021-04-04 07:42:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 517862b19766ebbb502fa4eb3dd55801 SHA-1: 2ac542e57f87a157664ca7b4575d0b77c750408a SHA-256: cfbf5b3398febca9f779c73df26f1d8ceef33ea4ad36ff31728db783b9d63318
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM', suggesting an attempt to distribute or redirect users to malicious content. ClamAV detected the file as 'Pdf.Phishing.Trojan', and a high ML score further supports malicious intent. The presence of embedded URLs and a 'download button' heuristic indicates a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=camera+lucida+app
    • https://cdn-cms.f-static.net/uploads/4374022/normal_5fd825b526113.pdf
    • https://static.s123-cdn-static.com/uploads/4488558/normal_5ff69421b339e.pdf
    • https://cdn-cms.f-static.net/uploads/4427282/normal_6022ad9c9070f.pdf
    • https://static.s123-cdn-static.com/uploads/4377925/normal_5ffabe0679d94.pdf
    • https://cdn-cms.f-static.net/uploads/4365620/normal_604421aed50cd.pdf
    • https://dibotora.weebly.com/uploads/1/3/4/8/134870334/femosebutawuf_zokiraru_risematewafa_fawapesijutet.pdf
    • https://tewijudejasivi.weebly.com/uploads/1/3/2/6/132682467/xonikurede.pdf
    • https://tugiwosigef.weebly.com/uploads/1/3/2/7/132740290/mugate-gukazikup-mewivopiz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://777dd155-384c-4f1d-a337-8f27b94bb056.filesusr.com/ugd/1ecdae_2e2a8e0a9c1a4909bfdfa93553820bb5.pdf?index=true
    • https://80c8fd16-4cf8-4f9f-b52b-d6c956df8f3b.filesusr.com/ugd/1a94e8_448a66ac42104116adddc638e18bcea5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/01d72fe0-d55c-4005-9dec-6803ca0d5561/polygons_exterior_and_interior_angles_worksheets.pdf
    • https://uploads.strikinglycdn.com/files/96fd2121-952a-4268-96c0-227f1eedcdd8/dorothy_must_die_series_wiki.pdf
    • https://1b6fbac1-9b66-4609-9151-81f5d4c316f7.filesusr.com/ugd/5e81b9_6492054a45cc4d12b4c4559d14ec4b4e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/63ab9ab8-acd6-48ac-8f8c-53e2cd328a4a/pesur.pdf
    • https://5e7fdb44-65a6-4d88-9b36-b69c04d36e08.filesusr.com/ugd/b547b4_77955e7c5a2f43a793f20524715abc27.pdf?index=true
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_d51981e584ea41c39a9b793dcdef5fe6.pdf?index=true
    • https://7c8f45b7-e058-4e27-bccd-8ee7dcb26900.filesusr.com/ugd/d5cf39_ba537a396ef94207ab1ba41df788c30f.pdf?index=true
    • https://c7fb3737-a2fb-4e06-b71d-f78b648bb0a4.filesusr.com/ugd/a9248e_644981bb445148e4897d7f018949d823.pdf?index=true
    • https://9387bd13-3746-4408-b474-2867f26e464d.filesusr.com/ugd/ace02d_ea785677f44a402d896d2a5c0836b22d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3bc9ecfc-2bef-4dbe-aac5-8d9311035e6d/44924758470.pdf
    • https://7aff118d-26f6-4d76-9bc9-1838009e7274.filesusr.com/ugd/f80014_637250653fbc40c89ace6250df89c8b1.pdf?index=true
    • https://9c3086b9-336b-4a4d-b39c-975a2563a2e0.filesusr.com/ugd/f4f792_927ba056a93d43a887abb3653dbcd8a3.pdf?index=true
    • https://68e1e3d4-268d-49bc-a8aa-b119cb10fea7.filesusr.com/ugd/3ceeb9_c705f5ecfb544fd2aeb3e2aae7be87ba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c8ffd330-45b3-4286-9665-29fb0cd4718a/72890751207.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010808.bin
fe04aed5f5b3756a508bab66cb753d2fc1c5cdf1529f2ba3b5a633b0f42083c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10808 4948 bytes
font_01_sfnt_off000118bf.bin
e6be6017efdb8421b51accdffa8adb408e9b95903b9a52642233f52999ecc562		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118BF 10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.