Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7e8c71281bd8c96…

MALICIOUS

PDF

71.2 KB Created: 2021-03-24 11:48:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b16f1f05b69e160a85f61db8b1f1ae0 SHA-1: 7d958fecd4917f23891f35415dd33c026f2060ab SHA-256: d7e8c71281bd8c96fdb894a25cc6a7526fe66acda55d767f340bc011d7644850
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, with one heuristic specifically identifying it as a 'PDF link farm'. The primary malicious URL identified is https://golowaki.ru/wix?keyword=runkles+red+lion, suggesting the document is designed to redirect users to potentially harmful websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=runkles+red+lion
    • https://cdn.sqhk.co/rozesivotix/wibijja/94512029849.pdf
    • https://cdn.sqhk.co/japokaxe/xjeijhi/truck_wallpaper_4k.pdf
    • https://cdn.sqhk.co/vakanaju/FTjhJLZ/zenivubaxijeworapiget.pdf
    • http://wojisub.mypressonline.com/vixafebapewotewa.pdf
    • http://pojebanidik.mywebcommunity.org/42334220130.pdf
    • https://cdn.sqhk.co/wuvitatutuv/iehFhgt/wolanu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wipadafefuxasi.onlinewebshop.net/nagiwobuxovirugi.pdf
    • https://uploads.strikinglycdn.com/files/5db1b1a9-0af9-4826-b0c5-a2f755fd0ad1/fawal.pdf
    • https://uploads.strikinglycdn.com/files/715aa5d4-daaf-4387-b59c-b72c8d7bbf69/why_is_my_xbox_one_charger_blinking_red.pdf
    • https://43fe4710-460a-4ad3-90dc-2dd795c51528.filesusr.com/ugd/a32c20_246f4e9ba7f74404a6435e169336b879.pdf?index=true
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_0e2934a3c66c4e92be9e9b0b305597d5.pdf?index=true
    • https://63c5840e-267c-49ed-94d3-fc9f9d8b9c0b.filesusr.com/ugd/8c5bc8_730fbe3f55c54629948a88d1c581c199.pdf?index=true
    • https://uploads.strikinglycdn.com/files/465b8895-398a-443f-8b58-2b70efcee9be/los_ros_de_color_prpura_2_1080p_latino.pdf
    • https://uploads.strikinglycdn.com/files/4f2615b8-ab0b-4419-b2f2-3a565e01a0b4/lets_explore_diabetes_with_owls_chapters.pdf
    • https://e028ba52-6c86-493e-86b7-fecf7cd1c3eb.filesusr.com/ugd/bcb9fd_3aa28460699d4168983486c21fff19ca.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6b0c0bc4-fa67-45a2-b8f6-5d169474acea/47868519702.pdf
    • https://uploads.strikinglycdn.com/files/a4ffabc2-86e3-4846-a104-0d28ada89283/90597890140.pdf
    • https://uploads.strikinglycdn.com/files/74550cd4-bad0-4440-8025-de86af95a7f3/dogomuk.pdf
    • https://uploads.strikinglycdn.com/files/6862078c-b711-4961-ae46-6ad15df805ce/crossfit_routine_with_dumbbells.pdf
    • https://uploads.strikinglycdn.com/files/c879029a-bef5-4f41-8d12-ef4258db9c70/four_past_midnight_best_story.pdf
    • https://uploads.strikinglycdn.com/files/21361cee-1ad7-47d7-acea-6dbd5a59a4de/90679978376.pdf
    • https://uploads.strikinglycdn.com/files/dc898b37-47db-4ed9-929c-6b0780533a34/oppo_105d_blu-ray_player.pdf
    • https://uploads.strikinglycdn.com/files/f7fdd114-9774-45ad-b054-b47a2e95c933/92388877518.pdf
    • http://rotufixijisadi.onlinewebshop.net/port_timing_diagram_of_2_stroke_petrol_engine.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d97f.bin
b72263d266c5173d6c6799af9725e0e160f6eb987dd22225d8530d9fb26a3529		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD97F 4680 bytes
font_01_sfnt_off0000e97d.bin
c843f4f8a51abfe41f112a6b4830583d542bfea1dc164758743ab8d33963bf7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE97D 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.