Malicious PDF — malware analysis report

Static analysis result for SHA-256 df85d648a4156d0d…

MALICIOUS

PDF

76.3 KB Created: 2021-05-20 14:09:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a20ec2a3790488ea40e74a918eb2114 SHA-1: 8ab4422fd5d7bb5e4685de7c5dfe6e44590e3b73 SHA-256: df85d648a4156d0d5f1be86b0294d447c08a482bfbf9911f4bfadda384927828
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of a large number of external links, including a link farm, suggests the document is designed to redirect users to potentially harmful websites. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+to+play+three+kingdoms+overlord+on+pc
    • https://gagafilesiruw.weebly.com/uploads/1/3/4/8/134886729/rojubivadidevurede.pdf
    • https://rakerekibakefe.weebly.com/uploads/1/3/4/5/134596095/9279152.pdf
    • https://gawenowufiwozup.weebly.com/uploads/1/3/1/3/131383543/6912387.pdf
    • https://bopexetijajab.weebly.com/uploads/1/3/1/4/131411078/4a493b3cc51.pdf
    • https://fujikoxeloto.weebly.com/uploads/1/3/5/3/135307408/kogojinozabo.pdf
    • https://wisapemewe.weebly.com/uploads/1/3/4/7/134713478/b11947d63.pdf
    • https://dexewagumaz.weebly.com/uploads/1/3/1/4/131438443/2808757.pdf
    • https://zufulakoloti.weebly.com/uploads/1/3/5/3/135301661/fetusubol.pdf
    • https://pevidutapare.weebly.com/uploads/1/3/0/7/130740538/foxeki-nigimi-ferepovovoli-niwedirovuwitir.pdf
    • https://jeketivogusu.weebly.com/uploads/1/3/1/3/131398097/9180286.pdf
    • https://noragunefide.weebly.com/uploads/1/3/1/6/131637841/425ff.pdf
    • https://ponebivilu.weebly.com/uploads/1/3/4/5/134505494/4706760.pdf
    • https://rudagaje.weebly.com/uploads/1/3/4/3/134310377/xizoditasalo_zakewulu_rozalitowep.pdf
    • https://numilobes.weebly.com/uploads/1/3/4/2/134235742/bulararijeg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/22eab456-5691-49a7-8cd4-078e468d0a1a/99196736757.pdf
    • https://uploads.strikinglycdn.com/files/f7c83cd3-248b-4d73-805b-bd173339b263/77649051247.pdf
    • https://uploads.strikinglycdn.com/files/479ecfec-0be2-467a-8740-2760dfb47d6c/41046839545.pdf
    • https://uploads.strikinglycdn.com/files/6847fdee-2e2e-42ec-b04c-8db8e8befa62/sezijerit.pdf
    • https://uploads.strikinglycdn.com/files/aa30c64c-740e-4c08-b74d-9385857cf0e3/46105282035.pdf
    • https://uploads.strikinglycdn.com/files/cb346d08-3b76-457c-8c29-91bec8d53f16/rca_7_android_6.0_tablet_review.pdf
    • https://uploads.strikinglycdn.com/files/9e85d85f-1d44-4e01-baf2-276b751cc040/cloud_data_storage_security_issues.pdf
    • https://uploads.strikinglycdn.com/files/5436caf8-ef61-4691-8969-968ea93b71c6/febodinawanigonilanefalu.pdf
    • https://uploads.strikinglycdn.com/files/6c010399-8107-4a9b-8d41-707ede7bdf7f/4591097605.pdf
    • https://uploads.strikinglycdn.com/files/328263fb-b7ff-4151-b1a7-6903153205e6/59865740947.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb96.bin
2583baad83ec93b6734257ee10c5b438fc8117850deba4855db11cb49716ef0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB96 5768 bytes
font_01_sfnt_off0000ff2d.bin
0c1f09db5f105d1b9ee15835a4e325c118e176ebe12afde98a6fb58b0d98807e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF2D 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.