Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc6b19585a428063…

MALICIOUS

PDF

74.0 KB Created: 2021-06-03 12:22:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2df91dc4950020fa2b25ac470ea6f9e0 SHA-1: 72697c1886e5db241feb337a1d004dcd0984d275 SHA-256: dc6b19585a42806391875bf1cc1a8e0f0c9d99484f4fcc7976d832cb3ab4c5e5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, with one prominent URL pointing to 'infrive.ru', suggesting a link farm or redirection mechanism. The document body, though heavily obfuscated, appears to be a lure related to song lyrics, a common tactic for phishing or malware distribution. No scripts were extracted, but the PDF structure itself facilitated the embedding of multiple external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/pbw?utm_term=subramanya+ashtakam+lyrics+in+kannada
    • https://static.s123-cdn-static.com/uploads/4470552/normal_5fc79e0ad3af6.pdf
    • https://cdn-cms.f-static.net/uploads/4386848/normal_6029f180d62cb.pdf
    • https://cdn-cms.f-static.net/uploads/4405904/normal_6057159db9b2d.pdf
    • https://cdn-cms.f-static.net/uploads/4448096/normal_6035e6645c155.pdf
    • https://mabaxezo.weebly.com/uploads/1/3/4/7/134766945/judimubulixu_sixugo.pdf
    • https://cdn-cms.f-static.net/uploads/4447658/normal_603f992623a77.pdf
    • https://static.s123-cdn-static.com/uploads/4377403/normal_5fc5dbc957bb5.pdf
    • https://refunijuxi.weebly.com/uploads/1/3/4/7/134748157/nepilolifumazu.pdf
    • https://static.s123-cdn-static.com/uploads/4365570/normal_5ff57be785c7c.pdf
    • https://nozojotama.weebly.com/uploads/1/3/4/5/134585139/magazitulufaxavi.pdf
    • https://cdn-cms.f-static.net/uploads/4483070/normal_5fd8738ebcff8.pdf
    • https://cdn-cms.f-static.net/uploads/4367019/normal_5fe7b64bc8c63.pdf
    • https://cdn-cms.f-static.net/uploads/4421623/normal_600ce637b1ff2.pdf
    • https://static.s123-cdn-static.com/uploads/4366004/normal_5ff4c15d6b8f1.pdf
    • https://cdn-cms.f-static.net/uploads/4393626/normal_6066956eb3607.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/26e01c69-302d-49ac-8a84-0b1c98f57c5d/sorilugafu.pdf
    • https://uploads.strikinglycdn.com/files/f9c8fe47-e63f-43e9-b813-d398f8028601/how_do_i_fix_google_error_404.pdf
    • https://uploads.strikinglycdn.com/files/27202e31-0626-4365-8f23-f16e75385cde/beats_studio_pro_wireless_in_ear_headphones.pdf
    • https://uploads.strikinglycdn.com/files/a34784f7-5fc0-4300-8f44-f0d461576229/57181174627.pdf
    • https://uploads.strikinglycdn.com/files/3a9cdb87-4e6c-4d7b-aaa6-c7ca680bd4b4/karexawisuwuzowulo.pdf
    • https://uploads.strikinglycdn.com/files/aaacbd61-f720-4da3-9651-96edf3e05284/45297057110.pdf
    • https://uploads.strikinglycdn.com/files/330c6c70-1042-45c8-acbc-b51cf10ee0bf/penny_stocks_on_robinhood_2020.pdf
    • https://uploads.strikinglycdn.com/files/25bb2d46-457d-4374-b960-157c4760f4d5/sepegoduporevimifobafaw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e25f.bin
82d9a51dbb73d1b5c7f63383ad8ced4e07b5b38692015b10d58016bf98ef9710		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE25F 5588 bytes
font_01_sfnt_off0000f534.bin
a2be392393c41a04710039fc09219eedf669313fa5195731e84e078c91ddc8f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF534 11756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.