Malicious PDF — malware analysis report

Static analysis result for SHA-256 d28d35fd4b1284b3…

MALICIOUS

PDF

97.3 KB Created: 2021-06-05 09:32:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8903880513cf149604d0647e289ffc1e SHA-1: ed0dbe21b5d4943975e8a47a00f449a2ec04ae25 SHA-256: d28d35fd4b1284b3c39949b3031336f00c221568a783183f3a9ecd47e69b0ebf
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with one prominent URL pointing to 'pelibifir.ru'. The ClamAV detection and ML classifier strongly indicate maliciousness, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and numerous external links suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=bollywood+movies++telegram
    • https://cdn-cms.f-static.net/uploads/4468255/normal_604fb3251c361.pdf
    • https://paweweribawu.weebly.com/uploads/1/3/4/6/134656346/jezuxuk.pdf
    • https://cdn-cms.f-static.net/uploads/4466146/normal_60b8974054e40.pdf
    • https://cdn-cms.f-static.net/uploads/4480580/normal_603d5615b77ee.pdf
    • https://gaxezoxo.weebly.com/uploads/1/3/0/7/130776828/9ce96463656.pdf
    • https://ninefajesazaga.weebly.com/uploads/1/3/5/3/135384029/motasep.pdf
    • https://static.s123-cdn-static.com/uploads/4427793/normal_5fceac36131c1.pdf
    • https://cdn-cms.f-static.net/uploads/4477162/normal_60baaa552668a.pdf
    • https://cdn-cms.f-static.net/uploads/4453885/normal_60b8b517182d4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ed1ee19b-eff0-478a-b708-1da30f7f46ad/kidedi.pdf
    • http://tufukamapaf.pbworks.com/w/file/fetch/144498555/veronika_lmek_istiyor_indir.pdf
    • http://ropotupi.pbworks.com/w/file/fetch/144497622/what_does_take_two_tablets_daily_mean.pdf
    • https://uploads.strikinglycdn.com/files/2d233e70-31a9-4bd3-9f0d-5b93b3465f50/25876693342.pdf
    • https://uploads.strikinglycdn.com/files/4fd60a46-43e1-4735-88cb-e9e0674e8075/igloo_ice108_cleaning.pdf
    • https://uploads.strikinglycdn.com/files/b33ec937-c2cd-4861-824f-281839ffa9e4/steps_to_open_ms_paint_in_computer.pdf
    • https://uploads.strikinglycdn.com/files/673bd89f-8203-4c4c-99e4-1d819bea0b7c/nizaguzu.pdf
    • https://uploads.strikinglycdn.com/files/29c1d3f3-776e-4004-86ec-45e95bdc31f9/ozark_trail_yurt_tent_instructions.pdf
    • http://kufujibumufa.pbworks.com/w/file/fetch/144423885/10030622890.pdf
    • https://uploads.strikinglycdn.com/files/1e5b8b9c-ed52-44d5-a15b-5b1502dacfe2/37921846011.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d53.bin
da9227d803687063f66cf7dfa78de1ee905a540eef857ffc4d92688b8418ee34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D53 3136 bytes
font_01_sfnt_off0001187f.bin
2c01bef6abf941a664a59e67250c0d48ec2c8d27acb0af809deafe6b1073a0bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1187F 5128 bytes
font_02_sfnt_off00012a0a.bin
6ac5042abf856875c34923a46986bdbebd7bb8520d2483159ef0e4298307e3f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A0A 11924 bytes
font_03_sfnt_off000152e3.bin
eb3e788e50cd621ecd8cbdee3f3fc3a8bd86b5e914d2adb58b86567ef6e6c11b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152E3 16360 bytes
font_04_sfnt_off00016870.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16870 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.