Malicious PDF — malware analysis report

Static analysis result for SHA-256 d277da187efe695f…

MALICIOUS

PDF

69.4 KB Created: 2021-03-20 10:46:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fe56b76adc84ae2568833994741d848 SHA-1: d57acdf60131768f580765aa7c1ebfccf4c440fa SHA-256: d277da187efe695f84a01a8a377ac1eecaa88ebdb3242ebf7bffbcc7e5630c5a
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains numerous embedded URLs, including a link farm and an invisible link to a suspicious domain, indicating a phishing or malicious redirection attempt. The document body is largely unreadable, but the presence of multiple suspicious links strongly suggests an attempt to lure the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=little+bi+peep+trailer
    • https://muwegegedagus.weebly.com/uploads/1/3/0/7/130738526/pinofemoji.pdf
    • https://talipugetajizan.weebly.com/uploads/1/3/4/8/134862074/72e7848a6a1e.pdf
    • https://bakusiluvusefe.weebly.com/uploads/1/3/5/3/135309983/zutawirefajibo_zomirezuseluvo.pdf
    • http://clientbluebadge.com/49815866566a0y22.pdf
    • http://clipshd.design/27762116591k71nn.pdf
    • https://jumolemema.weebly.com/uploads/1/3/4/8/134853288/02e051981f640.pdf
    • http://fullstacket.online/dns_server_clash_of_clansox252.pdf
    • https://lujajumivovun.weebly.com/uploads/1/3/0/7/130776132/395407.pdf
    • https://zoxiniguve.weebly.com/uploads/1/3/4/5/134584112/6675666.pdf
    • https://vozupawugenebib.weebly.com/uploads/1/3/0/7/130776609/vamokomikijitejanab.pdf
    • https://wipukanutunuk.weebly.com/uploads/1/3/1/4/131437017/parazamiraweg.pdf
    • https://mifopezuzata.weebly.com/uploads/1/3/4/4/134484464/tuwonajokozeretik.pdf
    • https://butegipabozu.weebly.com/uploads/1/3/4/2/134235803/4105128.pdf
    • http://securityofusersdevicesonline.site/truck_simulator_19_mod_apk_homei0y9e.pdf
    • http://insurancesouk.com/333481625958tofy.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fidobakipivogit/baretizogovilajapem.pdf
    • https://s3.amazonaws.com/novifamigot/opera_pc_browser_software_free.pdf
    • https://uploads.strikinglycdn.com/files/ef591e0c-b61e-4ffb-a6a7-e7166f77a286/dynamite_prophet_quad_sport_lipo_charger.pdf
    • https://uploads.strikinglycdn.com/files/581aaa04-dd79-4867-9d70-0786df0eaf97/volume_of_cone_real_world_problems.pdf
    • https://s3.amazonaws.com/sitok/grammar_checker_apk_full.pdf
    • https://s3.amazonaws.com/nilafafakem/30369023407.pdf
    • https://uploads.strikinglycdn.com/files/ff4255e5-43fb-4ec4-89d6-5fe38a7f45dc/81014080409.pdf
    • https://s3.amazonaws.com/baposivarabuj/jixutasasudose.pdf
    • https://s3.amazonaws.com/wupiwupiwot/49239485286.pdf
    • https://s3.amazonaws.com/taguxif/html_tags_notes.pdf
    • https://s3.amazonaws.com/semuxemakaw/rebel_xt_dslr.pdf
    • https://s3.amazonaws.com/tikofaketonub/aeroflex_ifr_6000_manual.pdf
    • https://uploads.strikinglycdn.com/files/722196cd-be2f-49ea-b086-88f4cc6c54ad/jack_and_the_beanstalk_steven_kellogg_summary.pdf
    • https://uploads.strikinglycdn.com/files/042ebbbc-5a76-4a59-bbe5-cb01d4a73e24/juz_amma_surahs_audio.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d327.bin
f7d64b7929482c854ffa6b1940ce1af11e9db89d004d61dd2bd090cd69862417		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD327 4716 bytes
font_01_sfnt_off0000e338.bin
cff28a826c558924d74109d39db8bb946745f9a3ed3829f7b04d52fb31f51db2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE338 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.