Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb5f99474916c97f…

MALICIOUS

PDF

76.7 KB Created: 2021-03-15 14:01:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b94b48959e6ca1616cfa51a88d123d9 SHA-1: dd6788d079d9fc5dbaa1f50419ec75e055fda551 SHA-256: fb5f99474916c97f481d0fb5690030d0bf7821213e56539744704c25ebcc8ecb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains a large number of external links, suggesting it is part of a link farm designed to distribute malicious content or facilitate phishing. The primary URL, https://midufefew.ru/award?keyword=certificat+de+cession+de+v%25C3%25A9hicule+pdf+remplissable, is likely used to lure victims by appearing as a legitimate document. No scripts were extracted, but the PDF structure and numerous external links point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=certificat+de+cession+de+v%25C3%25A9hicule+pdf+remplissable
    • https://static.s123-cdn-static.com/uploads/4390638/normal_600644633aec3.pdf
    • http://dujivodawalaxu.22web.org/73780525887.pdf
    • https://cdn-cms.f-static.net/uploads/4415309/normal_601704c2e37a2.pdf
    • https://dulipitigisol.weebly.com/uploads/1/3/4/7/134717891/7703845.pdf
    • http://wow50.pro/spider_man_comics_1963xi13g.pdf
    • https://luwojasog.weebly.com/uploads/1/3/1/3/131380471/722d40c9a22.pdf
    • http://rawenspant.online/nizemenedujy4s7g.pdf
    • http://zonixutazexe.iblogger.org/my_samsung_tv_doesnt_have_disney_plus_app.pdf
    • https://cdn-cms.f-static.net/uploads/4460709/normal_6009b538c6f9c.pdf
    • https://sujoxiwu.weebly.com/uploads/1/3/4/8/134879933/a4e5ed7595be546.pdf
    • https://bajigexok.weebly.com/uploads/1/3/4/1/134131467/719d2c1386a0eb3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/41d80f9c-ca1b-4651-a93a-b6062aaed4ca/garmin_astro_220_tracking_collars.pdf
    • http://nabafomubibatu.epizy.com/lanipamef.pdf
    • https://5c839259-519f-4cee-a1a2-6639d654070b.filesusr.com/ugd/140efa_f719ff4138614041a3c566016a5e53aa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef78da31-8e70-44a9-a66d-157b6e2cc685/how_much_is_a_stihl_066_worth.pdf
    • https://19d8af67-ac20-4a7c-8ffd-69be953788a8.filesusr.com/ugd/578741_420d66e7fe174ecfb430eff98991925a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b86cc8a1-ef0e-4dd8-9411-0665deb8f186/88021219661.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb4a.bin
56b552ef354ff0b423eff80870ac36f1c547ae338675b5c4c4bf88c5b2a6015e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4A 5644 bytes
font_01_sfnt_off0000fe0f.bin
a1c4555b8194c5570054b99e9614f7e3c0b008b24c772c01b6084393b984fd27		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE0F 12092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.