Malicious PDF — malware analysis report

Static analysis result for SHA-256 f049f13891852465…

MALICIOUS

PDF

76.9 KB Created: 2021-04-18 22:40:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9fac79282f7a2c7e6ce835baffbeb04 SHA-1: 7c2d1aaaae829d50893937d4ba0e8990691c252b SHA-256: f049f1389185246516eb956eba37e04ae034b942bb6b3733ab43b340e43ab454
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a PDF link farm. One of the primary URLs, 'https://dafemum.ru/strik?utm_term=what+are+the+3+rivers+in+pittsburgh', is directly associated with the malicious verdict and ClamAV detection. The document body, though heavily obfuscated, contains text related to the URL's query, suggesting a lure to a website. No scripts were extracted, but the overall structure and URL distribution point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=what+are+the+3+rivers+in+pittsburgh
    • http://daddytestit.xyz/commercial_lease_termination_letter_landlord_to_tenantcjbxk.pdf
    • http://mkuu.club/skyrim_iron_armor_retexturerjyux.pdf
    • http://bcpzonasegur4viabcp.com/74248932304lt40o.pdf
    • http://polikarmonolit.ru/corporate_social_responsibility_stakeholders_influence_on_mnes_activities28sxs.pdf
    • http://usesalle.xyz/what_is_the_best_forced_air_kerosene_heaterrhztu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f7b9408c-861d-4a42-8276-8639dfb97b96/how_much_it_cost_to_pledge_delta_sigma_theta.pdf
    • https://c2c662fa-00ac-4c69-bf5d-04da7d6c99e2.filesusr.com/ugd/9b33c5_3fca6bc6439448239cbf958cd75eedfb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e67e1326-c4a9-40dd-b26b-4dd93a0b9dc6/98580362751.pdf
    • https://uploads.strikinglycdn.com/files/c201c17a-4bbb-4159-8ded-b9c2eb3862d3/how_can_i_become_a_doctor_essay.pdf
    • https://uploads.strikinglycdn.com/files/e5e34ad6-0f23-4f2a-8a90-2e06fd4668b1/french_verb_conjugation_savoir.pdf
    • https://521a9f5b-5c7e-4f25-a9e4-5446fb1b1975.filesusr.com/ugd/c1a494_9000e8ebe9824bdd84a61656e5f95b22.pdf?index=true
    • https://uploads.strikinglycdn.com/files/663b400f-f46b-4359-a0e2-5da0978500c7/how_much_should_a_full_car_detail_cost.pdf
    • https://uploads.strikinglycdn.com/files/2b2f5425-c7c5-43d5-bdb5-cc35824281da/brunswick_a2_pinsetter_training.pdf
    • https://fa202315-5cd5-4006-9a99-7c5d4406650e.filesusr.com/ugd/61804c_437e00dd018348c49507333eebf5b204.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cdd412b2-2375-4422-9694-3c6528d385ce/best_online_spoken_english_classes_in_tamilnadu.pdf
    • https://uploads.strikinglycdn.com/files/e6feabb6-f53e-4ac4-814e-6fcabcdf09eb/what_is_personal_space_in_interior_design.pdf
    • https://uploads.strikinglycdn.com/files/d1eee64d-9adc-44c7-8429-46f64a774d5c/zukemaninajataw.pdf
    • https://uploads.strikinglycdn.com/files/d6d77206-fdad-4a91-afa7-b6a19e9014d4/faxabep.pdf
    • https://uploads.strikinglycdn.com/files/3063fc41-d058-4bea-892f-074076772929/comparative_and_superlative_adjectives_advanced_exercises.pdf
    • https://uploads.strikinglycdn.com/files/b8dd1b88-c938-4917-93ec-aa0b513cf90f/41934980535.pdf
    • https://uploads.strikinglycdn.com/files/3fd94821-edfa-4748-ade1-42d28dbe9190/99196596996.pdf
    • https://uploads.strikinglycdn.com/files/f0576c8b-886d-45a7-8f13-599e747b509a/31357859163.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efcd.bin
ab81c4fcd989e418bf89a1bb4fdaf4639d6fa59e9db67432cb0de8fa8922c3f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFCD 5424 bytes
font_01_sfnt_off0001024a.bin
ef88f235ded0e54bce1443d8059e99c05ea6f79503fc9437e7c1933f6116e167		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1024A 10416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.