Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff2dbcf1387abe68…

MALICIOUS

PDF

83.0 KB Created: 2021-06-09 03:26:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c86a9c5c5f6a35b65293216b1903c70 SHA-1: 21ce21f8d8b0ead562364de01220979ef307f1f6 SHA-256: ff2dbcf1387abe6872be79bc02ee6b1c3bf2b3b862c558f1ed441ff24555fc77
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to PDF files with potentially misleading titles, indicating a link farm or SEO manipulation tactic. One of the primary external URIs, 'https://catamma.ru/pbw?utm_term=meera+ke+jaise+bulate+nahi', is flagged as suspicious. ClamAV and ML classifiers also identified this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/pbw?utm_term=meera+ke+jaise+bulate+nahi
    • https://static.s123-cdn-static-d.com/uploads/4470685/normal_60b2a37bc9fc5.pdf
    • https://poxusesemeli.weebly.com/uploads/1/3/4/4/134462398/2096771.pdf
    • https://penopetidurip.weebly.com/uploads/1/3/2/8/132815040/vukujot.pdf
    • https://juporolo.weebly.com/uploads/1/3/1/3/131380745/7951985.pdf
    • https://didogetikazem.weebly.com/uploads/1/3/0/7/130776535/34f29156.pdf
    • https://walazufa.weebly.com/uploads/1/3/1/3/131383665/8abf1bfda8da.pdf
    • https://cdn-cms.f-static.net/uploads/4372723/normal_602075a5919dd.pdf
    • https://zejuvuvegodefi.weebly.com/uploads/1/3/1/4/131453892/gatudenobef-vanagu.pdf
    • https://mapazudisobamun.weebly.com/uploads/1/3/4/6/134604154/821190.pdf
    • https://domoposuselof.weebly.com/uploads/1/3/4/7/134720049/63a51e829e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.indictrans.org
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/faddc290-4b43-40a8-987c-e9a4c106ea5a/stochastic_calculus_and_financial_applications.pdf
    • https://uploads.strikinglycdn.com/files/07836472-0e14-46a1-a5f7-3b55eb869c3b/47599810353.pdf
    • https://uploads.strikinglycdn.com/files/f32d48b5-3da2-4dea-a487-ad9f5fdddc85/33385859873.pdf
    • https://uploads.strikinglycdn.com/files/6096fe3d-1dc9-4e3f-9c1d-46787e4dbc6f/what_is_an_author_foucault_summary.pdf
    • https://uploads.strikinglycdn.com/files/b58a793c-7aad-47c4-9982-55fc5c647bcb/why_9.9_hp_outboard.pdf
    • https://uploads.strikinglycdn.com/files/a469bacf-d65c-4354-abab-af424ff3be08/rick_and_morty_comic_book.pdf
    • http://jivevisubido.pbworks.com/w/file/fetch/144670917/456977238.pdf
    • http://kufavuva.pbworks.com/w/file/fetch/144651822/microsoft_visual_foxpro_9.0_runtime_download.pdf
    • https://uploads.strikinglycdn.com/files/d2cdcf24-f491-4a82-bead-439aa317daed/xutunozejusimobetiliga.pdf
    • http://fodorafirig.pbworks.com/f/9.3_properties_of_rectangles_rhombuses_and_squares_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/b3ad4ef8-dbe3-4bdc-8e8a-afa2f29bc9ac/12548522363.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000decb.bin
7ec66d2567734772436c54964ad6021a558f02c17e9e1574311d249f950f33f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDECB 5060 bytes
font_01_sfnt_off0000f001.bin
8b69a766a9e8ec7f291be8e936e0c374ba30e04bd1ba52ed2f33efc004b056ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF001 4468 bytes
font_02_sfnt_off0000fe1c.bin
372ef70ca2b68bb51d41ecca6982448144a4f28d9346726f3c7afaa0337f82b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE1C 10964 bytes
font_03_sfnt_off000123bb.bin
6a5e872ef3ba1abc0856f1cf58add902439aad5febc4838e2c5cbba11c5a6bc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123BB 7200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.