Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8a69b61479ad675…

MALICIOUS

PDF

83.5 KB Created: 2021-03-18 08:59:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bdda60e6cbdc74cb6af78a25f3628e38 SHA-1: 75ad93e59c3f1e1f1e2bb1153d0a4055f05db14d SHA-256: f8a69b61479ad67558d9e4a0915bf33ce0b2d2bc95e9336c698ffbe0e696360e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM' indicating a large number of links. The primary URL, 'https://druttle.ru/wix?keyword=fashion+solitaire+2+download', suggests a lure to download content. While no scripts were explicitly extracted, the PDF structure and the presence of external links strongly suggest an attempt to redirect users to malicious websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=fashion+solitaire+2+download
    • https://mazaxijav.weebly.com/uploads/1/3/4/4/134488449/laletigolibuk.pdf
    • https://cdn.sqhk.co/letareximo/bvLBtoW/37237042327.pdf
    • https://giwulotasika.weebly.com/uploads/1/3/1/4/131411199/7482526.pdf
    • https://cdn.sqhk.co/tevimuwijile/g7Bu2ST/8870780474.pdf
    • https://negowuvezesat.weebly.com/uploads/1/3/4/8/134859399/kubawu_dipebebux_kamoguza_jukajap.pdf
    • https://cdn.sqhk.co/dokijesu/6ThfGZq/2982629232.pdf
    • https://jikesisepam.weebly.com/uploads/1/3/1/4/131406861/zinimivo_zirokevovemupet.pdf
    • https://cdn.sqhk.co/gixotagokezu/cORCvSV/wupivakofopogawa.pdf
    • https://cdn.sqhk.co/vobipibomuk/dCXhgaB/webasto_parking_heater_manual.pdf
    • https://gidapozu.weebly.com/uploads/1/3/1/3/131379371/ramoto.pdf
    • https://cdn.sqhk.co/botonerepap/ehg4Mm0/57813294464.pdf
    • https://cdn.sqhk.co/votiwixuduzo/gcjQhdj/pigaki.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c88be0b5-9891-4016-8219-340acf666177/samsung_10kg_front_loader_washing_machine_reviews.pdf
    • https://36c7e617-1221-4173-b726-d5bce2878801.filesusr.com/ugd/610d21_1c9246af48664544b3ce62f8e2895f2b.pdf?index=true
    • http://razogop.epizy.com/f1_2019_setup_guide_abu_dhabi.pdf
    • http://legipugubawaw.epizy.com/change_ink_cartridge_hp_deskjet_1512.pdf
    • https://uploads.strikinglycdn.com/files/bf7c37fb-5fb9-4f95-a44e-aeb41bfb2ae1/what_is_the_best_home_elliptical_trainer.pdf
    • https://uploads.strikinglycdn.com/files/659e3c50-28f0-444c-a8fa-cc2439a708d8/87408445702.pdf
    • https://a3720f92-bdaa-4449-a3ff-14f36884d2d5.filesusr.com/ugd/afadc3_2664afc4fb144feca3fe85110b8bc820.pdf?index=true
    • http://buwumipulufi.epizy.com/alopecia_cicatricial_en_nios.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f681.bin
2ce5a7286efefc5aae27ce1c31b3347e159d00bd30cf97f509a0b7f7d49caffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF681 6440 bytes
font_01_sfnt_off00010676.bin
67aa021fe05d31f2c0cac928d365c17ff057f156ffa3a37d99721ef242d3a32b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10676 5092 bytes
font_02_sfnt_off000117d5.bin
469e9f139a823a944a7e4d97f476b17f8fbc93fc5a56c30be864e01699b95574		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117D5 11900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.