Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3d2b1751411ebdb…

MALICIOUS

PDF

68.3 KB Created: 2021-06-14 05:19:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d2ca3cea786b6acdb8eee0408f260cb SHA-1: 7324479a056df916a10759ef2ca8e3bee4cf70bc SHA-256: d3d2b1751411ebdb7009545e78bf26ed8b006b7127863ca589333fd16e572f40
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, with one prominent link pointing to 'dafemum.ru', suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to be a lure related to 'weapon aerodynamics'. No scripts were extracted, but the presence of multiple external links and the overall detection profile strongly suggest a phishing or downloader attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=approximate+methods+for+weapon+aerodynamics+pdf
    • https://ziperivowupidu.weebly.com/uploads/1/3/1/3/131381589/2eebc0.pdf
    • https://xufujakuzizam.weebly.com/uploads/1/3/5/3/135315974/porobowenunapavesik.pdf
    • https://xutativapejan.weebly.com/uploads/1/3/4/5/134521393/e3fd030a2f.pdf
    • https://forugizatufuru.weebly.com/uploads/1/3/1/4/131410167/xebolabal-vevazolorelumex-munag.pdf
    • https://melonugijiroduk.weebly.com/uploads/1/3/5/3/135325977/4249965.pdf
    • https://monezoxikaxusoj.weebly.com/uploads/1/3/1/4/131453753/gojidewe_fojowirade_tofalufu.pdf
    • https://turezizudowan.weebly.com/uploads/1/3/1/6/131606253/f763a6.pdf
    • https://susemozud.weebly.com/uploads/1/3/2/8/132814624/bosixo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/baed4b56-9c0e-4d37-ab74-c8a4a0492210/11350841911.pdf
    • https://uploads.strikinglycdn.com/files/90028c07-81fa-4bf3-a381-dcb9f320c020/85151302736.pdf
    • http://didaneguk.pbworks.com/w/file/fetch/144425217/power_probe_3_fix.pdf
    • http://vefubop.pbworks.com/w/file/fetch/144973236/97958076150.pdf
    • https://uploads.strikinglycdn.com/files/a9be1cd4-fe24-4c3f-9b6a-55a559152d49/how_do_i_connect_my_hp_photosmart_printer_to_wifi.pdf
    • https://uploads.strikinglycdn.com/files/d7ceeac1-5c13-496b-b1b6-9c764f1ef4a3/82560537801.pdf
    • https://uploads.strikinglycdn.com/files/623536ac-e423-4499-a792-45bc7ac02e27/one_punch_man_king_season_1_vs_season_2.pdf
    • http://zopujoxobug.pbworks.com/w/file/fetch/144419268/80782654079.pdf
    • http://foziwedugumu.pbworks.com/f/magasavozafu.pdf
    • https://uploads.strikinglycdn.com/files/29babcb6-1843-400d-aa68-db3259fc347c/how_to_replace_bearings_on_a_motorguide_trolling_motor.pdf
    • https://uploads.strikinglycdn.com/files/e244dc67-4faf-4882-9258-8b79f845f7f0/things_to_describe_a_storm.pdf
    • https://uploads.strikinglycdn.com/files/c046f431-1fef-4a42-991e-bb618b428e6c/27978084906.pdf
    • http://tipewizu.pbworks.com/f/dead_cells_android_apk.pdf
    • https://uploads.strikinglycdn.com/files/b59a5c52-af8f-4583-9c50-42366635ed78/the_first_stage_of_the_industrial_revolution_involved_production_of.pdf
    • https://uploads.strikinglycdn.com/files/9a752842-1e56-4d6e-bfb7-1e66048a2081/the_how_of_happiness_download_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cecc.bin
9b7d2c4ce14e8f35b5958ebdfb9f04f3b9dfe0a01477ca29f3a963999d6e30d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCECC 5616 bytes
font_01_sfnt_off0000e1d4.bin
e904234fcdffcefdfcf36ebaef18a7474fc88ebe9ca1064f03bf5e527212d9b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1D4 9712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.