Malicious PDF — malware analysis report

Static analysis result for SHA-256 f29de940e5329b75…

MALICIOUS

PDF

87.8 KB Created: 2021-04-18 21:45:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39c894e60a7102efa14e4588dc3a12db SHA-1: 73a351ba1c28771def9341973e8b8f6b804737d3 SHA-256: f29de940e5329b757ce40faf80cd9936da0e4182f0c6918184a96e2d1126e042
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. It contains numerous external links, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains references to 'Dante's inferno 2010 game' and the authoring application 'wkhtmltopdf', likely used as lures to disguise the malicious intent of directing users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=dante%2527s+inferno+2010+game
    • https://gawinageriju.weebly.com/uploads/1/3/0/8/130874076/c9cacc87638ac.pdf
    • https://ruvezidarumova.weebly.com/uploads/1/3/1/3/131380493/8477821.pdf
    • https://mapuxotegudu.weebly.com/uploads/1/3/4/3/134356271/3296223.pdf
    • https://cdn.sqhk.co/towinomer/giQfinW/defy_gravity_prices_raleigh.pdf
    • http://sandwichhq.club/how_to_open_kenmore_600_washerahtmw.pdf
    • http://pawusewi.sportsontheweb.net/feedback_amplifiers_notes.pdf
    • https://cdn.sqhk.co/wenewojufaj/ildiec6/64681769260.pdf
    • https://vajugape.weebly.com/uploads/1/3/4/7/134767319/fidovevubofu_jodadu.pdf
    • http://prizinsta24.space/infinity_gauntlet_knitting_patterntrov9.pdf
    • https://kosipomorogimel.weebly.com/uploads/1/3/4/3/134307263/efc57072d19fde9.pdf
    • http://islandlandscapesbb.com/64271649149u0hiv.pdf
    • https://tosafesixagosug.weebly.com/uploads/1/3/1/3/131383933/bewukasolil.pdf
    • http://jologedeb.getenjoyment.net/52010278301.pdf
    • http://mikrotikwizard.com/44032510812y383i.pdf
    • https://dogaralezuj.weebly.com/uploads/1/3/1/6/131637140/2240614.pdf
    • http://xonigej.mypressonline.com/food_microbiology_laboratory.pdf
    • https://bolumuratojepo.weebly.com/uploads/1/3/4/7/134749128/79c33b5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://9764c975-acb6-4bd5-a3ff-b1f4624bc9bc.filesusr.com/ugd/5bcb7b_47cfe3b5434b4efd9c4637618b1061ec.pdf?index=true
    • http://lexekuduwowig.atwebpages.com/postpartum_depression_questionnaire.pdf
    • https://c3d762b3-5d50-4891-ab6d-43710edd2423.filesusr.com/ugd/3254bf_cff3cde1527345f488fd62f448fc0934.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f137.bin
3f6de1aec48a87403f10b03a083c4c45b4df4279029407cccc41234dc55218ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF137 5064 bytes
font_01_sfnt_off0001031d.bin
b887aa179ae558a1e2a8df6ab107786951ee0a6b8736113ec83530deb2072989		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1031D 5416 bytes
font_02_sfnt_off0001157e.bin
c2fd14632d49e51f7e61466e6c48c5a0b2e221efcf790d4d283389dad30ad801		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1157E 7084 bytes
font_03_sfnt_off0001284e.bin
a706bf8c8df47a38562aaf907d6061d73baa5244ee1594dcf98c4d2b2dcc8b19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1284E 12660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.