Malicious PDF — malware analysis report

Static analysis result for SHA-256 d63390ab00311610…

MALICIOUS

PDF

77.6 KB Created: 2021-03-23 11:04:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 48ce51a0829db041f1f1cc98c8900407 SHA-1: ebf82993b80641905388838eba96d05bcd578a47 SHA-256: d63390ab003116101796194e9032e42b9ae03ea5180f79d1189e3c4c10bdb6f1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier. It contains numerous external links, with a significant number pointing to potentially malicious domains, such as 'midufefew.ru'. The presence of a PDF link farm heuristic suggests an attempt to generate traffic or distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/123?utm_term=beginner+pilates+reformer+video PDF link annotation
    • http://kasaxeko.mypressonline.com/miruxokarutexojow.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380413/normal_6013221a55a82.pdfIn PDF document text
    • http://rubewox.sportsontheweb.net/sein_und_zeit.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408340/normal_5fd81fef8e0b9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409819/normal_6032ea765a86f.pdfIn PDF document text
    • http://forajadafogaxuv.medianewsonline.com/decision_support_and_business_intelligence_system.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jasesazolaf.myartsonline.com/how_to_connect_jlab_air_executive.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f3b517e-db94-4a3e-aeb4-e6dd454dd475/do_elena_and_damon_sleep_together_in_season_6.pdfIn PDF document text
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_3e7f2da7eae14bc3a2133fa6faa2659d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gezizefefififa/how_much_does_a_9.9_mercury_weigh.pdfIn PDF document text
    • https://bf808793-8b46-4c54-8b11-319763181fa0.filesusr.com/ugd/0d018b_244469664b644b4c965d2ecbe616143d.pdf?index=trueIn PDF document text
    • https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_5798d0dd632d4f95956e1ff1a8379a6b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf4ab5ef-95b7-4c4e-a0f4-8a2d196744e3/how_to_file_an_aflac_hospital_indemnity_claim_online.pdfIn PDF document text
    • https://s3.amazonaws.com/wibedubosateg/dozejeniwosekuwa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ecdedff8-4d94-4c8d-a11b-4c769a67e997/25324929646.pdfIn PDF document text
    • https://s3.amazonaws.com/jovekus/what_are_the_letters_in_personality_types.pdfIn PDF document text
    • http://wewamamewiler.atwebpages.com/free_piano_sheet_music_easy.pdfIn PDF document text
    • https://s3.amazonaws.com/bisapovepizaj/11719155217.pdfIn PDF document text
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_9546a7c08c634f1b8703ad33fb3b33b1.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/kotenu/sony_wireless_headphones_tmr-rf985r_manual.pdfIn PDF document text
    • https://72b50e20-f79f-40ca-96b4-24bef83e308f.filesusr.com/ugd/1a1092_1f6accab173c43cdb48567c43eb80987.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/af8aa00c-097b-4e16-9fdf-cb424703f222/neil_gaiman_quote_about_libraries.pdfIn PDF document text
    • https://s3.amazonaws.com/retobifulipo/vebinelinipotalesafeme.pdfIn PDF document text
    • https://s3.amazonaws.com/zunaporam/jovaludalaginala.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1F0 5472 bytes
SHA-256: d285381bf590f2e6919eebed216e0cd7366e34eecda460a74a5aa0c2b435b5c8
font_01_sfnt_off00010485.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10485 10556 bytes
SHA-256: 365c98db94f939aa6ad13e367a2bf8b592b9a5b69fa24e65a10cf7013529fa68