Malicious PDF — malware analysis report

Static analysis result for SHA-256 f24b89e9f725e28c…

MALICIOUS

PDF

89.0 KB Created: 2021-03-19 09:04:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c90be9bacf3a06f55a459dc5cd97a52e SHA-1: 75b0b5407720d9dd9f7fa680d7b3bbc1f4eb58b1 SHA-256: f24b89e9f725e28c930b20d2e119dca5789c977286ede9c8275b6a0393c82957
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, but one prominent link points to a suspicious domain 'dafemum.ru'. This suggests a link farm or phishing attempt designed to redirect users to malicious content. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9958

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=data+science+manager+jobs+in+canada
    • http://pavajevubuj.iblogger.org/aluminium_alloy_grades.pdf
    • http://jetolad.iblogger.org/suxujosobenumexikumopuz.pdf
    • http://sanezukevuzav.iblogger.org/km_to_meter_conversion_worksheets.pdf
    • https://lobodilogiji.weebly.com/uploads/1/3/1/3/131382226/tunux.pdf
    • https://fajizaxaro.weebly.com/uploads/1/3/1/3/131381717/3302601.pdf
    • https://mifugitosa.weebly.com/uploads/1/3/4/6/134631290/getubaz.pdf
    • https://zapotaputilaka.weebly.com/uploads/1/3/2/6/132683001/zudom.pdf
    • https://sobemifukoku.weebly.com/uploads/1/3/4/8/134887972/petejuzigelepanax.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4abf464d-34d5-4c80-8de5-e64f30e04530.filesusr.com/ugd/8b3eb5_a0190cef6a3c4107bb66223a60e37537.pdf?index=true
    • https://s3.amazonaws.com/safenalavojuwu/me_without_you_book_read_online.pdf
    • https://s3.amazonaws.com/zubata/kekagaronabezep.pdf
    • http://kemexulirejaror.rf.gd/rustoleum_cabinet_transformations_pure_white_vs_linen.pdf
    • https://200ee3fc-349d-4871-b5c3-2c1c69b60476.filesusr.com/ugd/7b00a0_e88b0e644d0c42a78e4677feee419932.pdf?index=true
    • https://2a984544-7cb8-4a4d-9f60-e686f7994e39.filesusr.com/ugd/1434d3_b08a64f82bb045df91d17601da5c0794.pdf?index=true
    • https://uploads.strikinglycdn.com/files/44d6458c-f881-4e16-ae3c-ce71348270e5/how_to_fix_keurig_coffee_maker_leaking.pdf
    • https://uploads.strikinglycdn.com/files/b4fe7571-925e-4334-9bdd-85189737e9fc/common_core_math_worksheets_multiplication.pdf
    • http://fanunif.rf.gd/jigevatiwefobu.pdf
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_8693dd2d4e80452a9c2d8eeefbdff1d2.pdf?index=true
    • https://47e244ab-6b1f-4ae7-97e8-86de5b619f9f.filesusr.com/ugd/e1d12c_6cbfdc97df3946c48945440d0c57f9f0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1ac7a230-68e3-4d4f-b46a-e493a80b2080/89711187188.pdf
    • https://0a3c8164-ddd9-4522-8472-457ce31ece15.filesusr.com/ugd/d32f78_777ad73dd90a47f8a0300a2dfac51868.pdf?index=true
    • https://uploads.strikinglycdn.com/files/59fbabda-2190-431c-aeca-5e17ce634502/how_to_make_a_dual_action_hidden_blade.pdf
    • https://b913155d-2712-4fd4-bcc6-651970a8c456.filesusr.com/ugd/e39924_22bcb9ac899b4199845b4cee49cd965d.pdf?index=true
    • https://6525eaf8-9a42-4119-9fb4-c3d475b3b78e.filesusr.com/ugd/80bfa9_fe978104274d4e05bfa3e8c52b106959.pdf?index=true
    • https://s3.amazonaws.com/vunizi/universal_audio_plugins.pdf
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_2b11f18463ef462eaad35232fed8f689.pdf?index=true
    • https://s3.amazonaws.com/bajapovogam/mipixulamudajixubov.pdf
    • https://8b5ac0f3-2bc4-49a6-9a99-2541af31b215.filesusr.com/ugd/f2ef67_1804081e214547edb0cf15d1983d664a.pdf?index=true
    • https://s3.amazonaws.com/zobuwubedak/chevy_350_rebuild_manual_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e80.bin
d27953f860d53377f89d690d9a02094ef8d68292d9ec2d32c7a2999631664b47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E80 5440 bytes
font_01_sfnt_off000130ea.bin
731f9730415ffbc18b9eaa90f18f759fb13bfc9c20a3fd4c17de908888027291		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130EA 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.