Malicious PDF — malware analysis report

Static analysis result for SHA-256 e387ef2ad3cf1ac7…

MALICIOUS

PDF

93.7 KB Created: 2021-03-16 15:25:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c7b3d908c5d6306fff0efed39216b75d SHA-1: 61095e60e633e1352af129d658a5911bf658f4be SHA-256: e387ef2ad3cf1ac7779919bd76034e4c4e7224525ee2178eacd3bdf9dd0b6249
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for Pdf.Phishing.Trojan. The presence of a large number of external PDF links, many with numeric slugs, suggests a link farm designed to manipulate search engine results or direct users to malicious content. The primary malicious URL identified is https://midufefew.ru/wix?keyword=bomb+it+7+y8.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=bomb+it+7+y8
    • https://cdn.sqhk.co/kakapoxavu/zgcjeUz/92357780581.pdf
    • https://cdn.sqhk.co/xexisini/3gguoje/8769510309.pdf
    • https://cdn.sqhk.co/sawitofi/zRogjhi/32931423842.pdf
    • https://vepazigomopu.weebly.com/uploads/1/3/4/3/134398405/vuzutewasuno.pdf
    • https://cdn.sqhk.co/parabeset/jejhjfM/zemisa.pdf
    • https://cdn.sqhk.co/zoribakim/cghvvM1/37691695321.pdf
    • https://static.s123-cdn-static.com/uploads/4408170/normal_5ff15c16be9e0.pdf
    • https://cdn.sqhk.co/bexuxoxabim/yje24mk/beer_pong_championship_nz.pdf
    • https://vowagogo.weebly.com/uploads/1/3/5/3/135307183/1382951.pdf
    • https://vuwawirekexaz.weebly.com/uploads/1/3/0/9/130969699/dedumefamixerezinux.pdf
    • https://cdn.sqhk.co/piwoputi/hjFsiaB/65280649015.pdf
    • https://cdn.sqhk.co/zarejesorufo/d74jct1/12920785384.pdf
    • https://static.s123-cdn-static.com/uploads/4392207/normal_5fe58f91461f2.pdf
    • https://rimenedefogifu.weebly.com/uploads/1/3/4/4/134466040/1cae4df.pdf
    • https://cdn.sqhk.co/xomatujod/ihhcKMQ/mapuliteruwen.pdf
    • https://jotipipadazazo.weebly.com/uploads/1/3/4/3/134319758/vosuruteka-ramuxa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://8ca15cf9-c5bf-4329-906a-32df3c7b5ab7.filesusr.com/ugd/4ca7f5_ac26f35a88b543aaacaabba5b21095cc.pdf?index=true
    • https://af1bea64-f5cd-41c2-a7c1-97f21c1aa057.filesusr.com/ugd/592671_6b3c6a953bf14faebd90cd4ec1846efd.pdf?index=true
    • https://6f847715-c85a-45d9-ae5c-7c68cc800588.filesusr.com/ugd/6e100b_c263029718004705b3ef45960fbfbe31.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5e1e1318-16e9-49ce-8551-233127c28e3f/lanidemupagimiw.pdf
    • https://uploads.strikinglycdn.com/files/03c4d095-2c32-4a28-b53c-5e7ad6151d9b/reading_comprehension_test_for_grade_3_with_questions_and_answers.pdf
    • https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_7c1abae2a038456280b8a2e2fccb6761.pdf?index=true
    • https://uploads.strikinglycdn.com/files/be1395cc-60b7-4562-9af6-34c8e4637647/bosch_silence_plus_error_code_e24.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105e8.bin
71f21ec1ff975309949efd65b5bdc969c76673dcb45663beb4940958810b5cdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105E8 4880 bytes
font_01_sfnt_off0001167d.bin
90ec64c6cba85328049f394919cd62e61cd86478018e3b339906b7b4c8887069		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1167D 9792 bytes
font_02_sfnt_off00013211.bin
b05d63ef58efba77ab91e08207e3228cdee415378384de88b182bfc1a8023f59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13211 21252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.