Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8af89ec6823cc7c…

MALICIOUS

PDF

78.5 KB Created: 2021-03-16 15:57:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 042d9bfe818e960031cafa0f73419974 SHA-1: b5c1a771c659f08737cbdb97600de78178709712 SHA-256: f8af89ec6823cc7c708514bf7a50026ff0da214ad6d03d86293d511bcea66600
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of external links, many of which are SEO-optimized and point to other PDF documents, suggesting a link farm or phishing campaign. The primary malicious URL identified is https://dafemum.ru/strik. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=fantastic+beasts+and+where+to+find+them+2001
    • http://ruvujagefeko.mygamesonline.org/33040502597.pdf
    • https://lukafove.weebly.com/uploads/1/3/4/6/134655473/881c775ef.pdf
    • http://figimumagoko.mygamesonline.org/r_programming_for_data_science_amazon.pdf
    • https://fotawadibegul.weebly.com/uploads/1/3/1/1/131163643/juvevilaguzi-wekebedojopomow.pdf
    • https://kikizesojumare.weebly.com/uploads/1/3/4/7/134718780/3265202.pdf
    • https://rawoxozuk.weebly.com/uploads/1/3/2/6/132695352/8374dda313.pdf
    • http://jozipuvuwuzaj.mywebcommunity.org/all_in_one_english_communicative_class_10.pdf
    • https://xegunato.weebly.com/uploads/1/3/4/3/134315925/5102999.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_fbfa3b52fafb4cafb377da3341b8e904.pdf?index=true
    • https://2a07c75e-e898-48ba-b326-4cccc82d0599.filesusr.com/ugd/ff154e_d84c87d418a241a881e8c04bb7056db7.pdf?index=true
    • https://26577e91-18e8-42c3-8e85-49dcca1d6605.filesusr.com/ugd/195787_5b95dcb92f054a54b77ceebabf044448.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4b752a6a-d44d-4ff8-9693-d361398f0cc1/62495342289.pdf
    • https://uploads.strikinglycdn.com/files/8b4707d4-2f00-4db5-bd15-f7de8d627f59/examples_of_air_borne_diseases_in_plants.pdf
    • https://d4078116-a2d5-466f-97e6-20d899f6ca30.filesusr.com/ugd/576447_5224ccd3821443b8b0ea635c207d667d.pdf?index=true
    • https://ba789de2-c385-43ee-b32d-a34c698d1993.filesusr.com/ugd/b7082a_8571fe70f6514e4e883a30edc26b3ce6.pdf?index=true
    • https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_6cc65b6b9eda4f3b8f0c064d65b066f9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7685ea06-1c0b-4a89-bd69-c0c4bfafe5a7/the_spectacular_now_movie_cast.pdf
    • https://9c12218e-e157-4070-b33f-4467b3cb42bb.filesusr.com/ugd/0c60a0_ef57b34624f249d09e88fb778572b1f0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/be8bf62d-74ee-4552-b726-ce7097fe223d/how_do_you_know_if_your_cat_has_autism.pdf
    • https://3175e58c-9db9-4d87-bcb9-15e03531d93d.filesusr.com/ugd/c93210_eea2b23b2db0487dbacf4ebf09853dc7.pdf?index=true
    • http://watusatuvor.myartsonline.com/dojoti.pdf
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_b3c8b8c0ccb247eca800422d186bf29d.pdf?index=true
    • https://9f503c4c-bf14-4dcb-9a7a-68e0e5bb3568.filesusr.com/ugd/8ac1ab_1e4d5e580ed0458aa60f949198854883.pdf?index=true
    • https://uploads.strikinglycdn.com/files/47085ffc-d8a2-4ec0-8267-1cb0c7f64d03/wimil.pdf
    • https://3485775d-af35-4505-8fb4-f6750f575e04.filesusr.com/ugd/42f18e_74b3201057424ac392d6620a38d8d17e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f13c.bin
25941aaed39ddf4a45889c471c0f438f70463e93dd057bf0b37531eb2e7f4ca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF13C 5740 bytes
font_01_sfnt_off000104b4.bin
efa7aaf552ed4c62d8a05000fd14bafe392438041000348f7833334f2c1f97e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104B4 10936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.