Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddd0722eb7bfeda6…

MALICIOUS

PDF

98.0 KB Created: 2021-03-19 22:10:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64a5dc49e9cfbb8f45325b8c47162d69 SHA-1: e334caad2d0c858a3afd3663842872f0aed79cf7 SHA-256: ddd0722eb7bfeda659363ebb965d8188879adceef0a4efc0b0be00b610579e8e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical PDF link farm detection and a ML classifier, indicating malicious intent. The presence of numerous external URLs, particularly the one pointing to 'dafemum.ru', suggests a phishing or content distribution scheme. While no scripts were explicitly extracted, the PDF structure and link farm heuristic point towards an attempt to redirect users to potentially malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=browsec+vpn+premium+apk
    • https://cdn-cms.f-static.net/uploads/4456667/normal_6029a7be4a17e.pdf
    • https://static.s123-cdn-static.com/uploads/4454821/normal_5ff5c703013a5.pdf
    • https://cdn.sqhk.co/reretukida/gjig7fF/81061516880.pdf
    • https://cdn-cms.f-static.net/uploads/4447874/normal_601a090cb561d.pdf
    • http://siwuxedoxip.22web.org/rudejokimetufado.pdf
    • https://cdn-cms.f-static.net/uploads/4370996/normal_60456490280da.pdf
    • https://cdn-cms.f-static.net/uploads/4381735/normal_601b47dc8a72e.pdf
    • https://bebejumupetokox.weebly.com/uploads/1/3/4/5/134513190/giturupigejo.pdf
    • http://xumegexujarev.22web.org/better_off_single_parents_guide.pdf
    • https://cdn.sqhk.co/kafexobesa/ghijjeQ/mother_earth_foods_parkersburg_west_virginia.pdf
    • https://cdn.sqhk.co/jasurisunav/kjfjbku/aesthetic_backgrounds_light_purple.pdf
    • https://cdn-cms.f-static.net/uploads/4418788/normal_601aac192fed1.pdf
    • https://bomawivipevesuw.weebly.com/uploads/1/3/4/8/134852605/25efec69d.pdf
    • http://kindraretterath.com/2004_honda_civic_ex_service_manualzu1zx.pdf
    • http://twitter-center.com/emtech_zm-_2mai1n.pdf
    • https://static.s123-cdn-static.com/uploads/4393188/normal_5ff1eda6988b9.pdf
    • https://giretalude.weebly.com/uploads/1/3/4/6/134677333/7510198.pdf
    • https://fikuvigobe.weebly.com/uploads/1/3/4/5/134582673/fazawefeniw.pdf
    • https://zokolukesowi.weebly.com/uploads/1/3/0/7/130776120/bikinepamovudu.pdf
    • https://cdn.sqhk.co/xugosovemi/FhglUy3/bexed.pdf
    • http://nadedusirosub.22web.org/king_james_bible_dictionary_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://remavolef.epizy.com/que_es_la_autoridad_aduanera.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecca.bin
2ba6e0c4516ae528974428ab90d2fcb845e31fc6427c3681d976df34e50bf0fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECCA 6568 bytes
font_01_sfnt_off0000fd17.bin
e4a55803a6a31d478b02c8a27cc90dedb41e5fe31966b512d83fc83b32a4aaf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD17 5312 bytes
font_02_sfnt_off00010f25.bin
5f6713206797bd9b6d7dc2e002d3c49a2b4d96e49db6cd297fc7f81c1d6f3414		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F25 9160 bytes
font_03_sfnt_off00012d2c.bin
3c06dcf9b19c5f4e66c7d95a1ecfdf01ab6185c09f56c35bd295b3e085f6b361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D2C 17232 bytes
font_04_sfnt_off0001623c.bin
434aae299edf0176e671ab3bc0d322c8073aab91b2f5b9b6b437fcae9386e09a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1623C 16256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.