Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd3e2303fae53611…

MALICIOUS

PDF

81.3 KB Created: 2021-03-28 00:57:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c15ada4669e902f3a547b907db80c0b3 SHA-1: f0e5b39b276169ad136601cc59e47801bfde8a7a SHA-256: dd3e2303fae53611a08754090ab6f6bbe0044b3d6e22ff3987354bda468c69e5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URI pointing to 'jumiwimov.ru', which is likely part of a phishing or malware distribution scheme. The PDF structure also suggests a link farm, further supporting malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=annihilation+of+caste+pdf+in+telugu
    • https://static.s123-cdn-static.com/uploads/4420764/normal_5ff763b07f99c.pdf
    • https://cdn-cms.f-static.net/uploads/4413697/normal_60315a064555c.pdf
    • https://cdn-cms.f-static.net/uploads/4404103/normal_600d3e5054051.pdf
    • https://cdn-cms.f-static.net/uploads/4369920/normal_6029a34f2784a.pdf
    • https://static.s123-cdn-static.com/uploads/4373526/normal_5fdeb9f429cae.pdf
    • https://cdn-cms.f-static.net/uploads/4419626/normal_6042a8327832d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/08da8ae7-2bba-4b0c-8ed1-4a29851ddb3e/the_formula_universal_laws_of_success.pdf
    • http://nusaruzedawuw.rf.gd/ford_mustang_convertible_for_sale_los_angeles.pdf
    • http://karifopiti.epizy.com/90921422673.pdf
    • https://uploads.strikinglycdn.com/files/8e4559d6-ad71-42e5-87bd-5829825b3638/lozabuzopoguwezosirukunow.pdf
    • https://2dc0326d-ac60-47d8-bf46-f2dc9d334570.filesusr.com/ugd/21b4a7_dd5b3e5bca084ceba2c032c0aeee1ecd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/daae368b-ba1b-42a5-96e4-25614625cc8c/black_hawk_down_cast_vs_real.pdf
    • http://josapug.epizy.com/zunuku.pdf
    • https://95043331-d9de-4498-ad98-35b8ac3ee23f.filesusr.com/ugd/5740b2_e8d3e0b3237f474fadb324f6e74eff0e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76573d1d-cb5d-4836-92db-bb5a737a6a3e/samsung_s4_mini_google_backup.pdf
    • https://uploads.strikinglycdn.com/files/7ca1bc55-45d2-4bcb-a683-7d21f431b1f0/what_is_the_best_charger_for_samsung_galaxy_s7.pdf
    • https://95a57b4d-a24c-4412-bd87-88f4f885d252.filesusr.com/ugd/011e4b_32c82b632f5e4ef1b27db9f52dc021ff.pdf?index=true
    • https://d0f5cf02-e55f-42e7-ba97-8a4d5a2b8368.filesusr.com/ugd/7f59a0_b72626190be24cdbb7d375353e221365.pdf?index=true
    • http://kitabud.rf.gd/safolodunobirolirezatot.pdf
    • https://uploads.strikinglycdn.com/files/531f7718-20b1-4646-a2c6-37fe9a385738/lasko_window_fan_home_depot.pdf
    • https://df9240ce-57b4-430e-a582-521170ca5232.filesusr.com/ugd/10b03a_78b466ab77924304bdd578370b7e11e2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f672934f-3371-44a5-ae09-bee1946b43aa/super_mario_bros_2_game_boy_advance_online.pdf
    • https://uploads.strikinglycdn.com/files/156713db-f530-45f9-bfa9-108cb512088a/26743730986.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fece.bin
8f5748036f3b6ea0fd74f2ecbc3a4423fe9ed1abffad4046dfae8670c76ec61a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFECE 5308 bytes
font_01_sfnt_off000110e8.bin
d194cf950298cd30a256812e1b7fec10312e3c141a930c45ae0d6efaa246f555		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110E8 11256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.