Malicious PDF — malware analysis report

Static analysis result for SHA-256 f30406fda4b1769d…

MALICIOUS

PDF

87.2 KB Created: 2021-04-01 22:02:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 11c3614ee47baa89f1b1c2130568cf5c SHA-1: 5884af028c45d7fc937aee1be7c47b50628a49d8 SHA-256: f30406fda4b1769d8639f961cb149a84687c24effb1d1a9e80390d7b74791b85
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a suspicious domain that appears to be part of a link farm designed to attract users searching for media downloads. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URIs suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=jason+derulo+2+chainz+talk+dirty+mp3+download PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4496818/normal_5ff5421c184b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369632/normal_602f35a07af1e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416501/normal_602542d80903d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382620/normal_60558ed1944d3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wuniku/50995377530.pdfIn PDF document text
    • https://234d5d8d-19c9-4cab-a884-dd0775662658.filesusr.com/ugd/fb7225_ed88ec512ecf4a7f9a2643680360e8b8.pdf?index=trueIn PDF document text
    • https://ec8c99fd-5413-4e38-b6a0-2ccbba71fc6f.filesusr.com/ugd/de02f3_028ed76a86914cb488e595c506760728.pdf?index=trueIn PDF document text
    • https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_b6220697a2884ba683fa4c8ca6c866cf.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vuzotisenixava/hernia_inguinalis_inkarserata.pdfIn PDF document text
    • https://94226b1b-8363-4ad6-a779-e61b7b16ff5b.filesusr.com/ugd/b3bc21_1358ff3c8050439eb82c5fb5d126c4a9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tesodagiwor/cerebrosidos_y_gangliosidos.pdfIn PDF document text
    • https://s3.amazonaws.com/zoromexemuzid/what_is_the_origin_of_the_mashed_potato_powder.pdfIn PDF document text
    • https://s3.amazonaws.com/gebukil/assassin_s_creed_revelations_dlc_trophy_guide.pdfIn PDF document text
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_c8efa00076974b54b38a02de89845118.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jutenojamega/webex_calling_configuration_guide.pdfIn PDF document text
    • https://77a48bbd-706a-45f8-a225-ac1cc02029d7.filesusr.com/ugd/3be48b_e774ec0e54e843179b7a8dad32044ab5.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/boduxatavepe/19536780626.pdfIn PDF document text
    • https://s3.amazonaws.com/bejeseja/83303018837.pdfIn PDF document text
    • https://ececae0b-1312-4a4c-959a-117928b3d478.filesusr.com/ugd/e6721e_9fc1f05ed6a94f7faf2676b24a06da61.pdf?index=trueIn PDF document text
    • https://f7690f66-1871-4559-97e0-239dee5b15da.filesusr.com/ugd/d2cc1f_fa60bc4f136444998a6395593fb94bb0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF54 3264 bytes
SHA-256: 53df27996c0d8a5f6434418ebcf7eb9f637d1c7cfd4618c0765e43bea0b1df04
font_01_sfnt_off0000eb10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB10 5904 bytes
SHA-256: e3dc9d0becd47e5d4b55908c8a6806cb25db762e7698de401d74a41eb0a1052e
font_02_sfnt_off0000ff16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF16 1888 bytes
SHA-256: ac14972b7b2947834c866a693307dd83921f9e40fad0e2ab592cecd13463aa54
font_03_sfnt_off00010829.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10829 11660 bytes
SHA-256: e1e12205ae407f94bc9527d52351e0424ef0c1ec32e15683909518be4a918898
font_04_sfnt_off00012ec3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12EC3 18776 bytes
SHA-256: 1df41416ece054d3cca32f135e48dc95f4d9c8a2bff4ba4edba1d14e21aabef6