Malicious PDF — malware analysis report

Static analysis result for SHA-256 ffc842411525a8f6…

MALICIOUS

PDF

88.8 KB Created: 2021-03-24 11:25:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c0f2288fa813bb258593d1d1690159d SHA-1: 54a2919d55b99cf0f79dbd8e1f9a05b170fb8d55 SHA-256: ffc842411525a8f6e699d4a30d37cd740145a353575233cd81bac18963b44777
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, with one prominent URL pointing to 'seumenha.ru', suggesting a phishing or malware distribution campaign. The document body, though heavily obfuscated, appears to be a lure related to spiritual messages, a common tactic for social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=carta+de+dios+para+ti+en+momentos+dificiles
    • https://static.s123-cdn-static.com/uploads/4496170/normal_5ff69b37dd23f.pdf
    • https://cdn-cms.f-static.net/uploads/4405930/normal_605a9c5e5c94f.pdf
    • http://thiswaytovogue.com/being_on_time_quotes_and_sayings0ub02.pdf
    • http://doctora.club/ginoperjwh.pdf
    • https://sazotavivi.weebly.com/uploads/1/3/1/1/131164406/2703854.pdf
    • http://dabinepoj.mygamesonline.org/banuxapuk.pdf
    • http://luxuwum.mypressonline.com/star_wars_lost_stars_characters.pdf
    • http://teasmall.space/bavowidovukovegovixabetixcb34e.pdf
    • http://gaxesujite.medianewsonline.com/research_paper_mla_format.pdf
    • http://sadogiropi.mypressonline.com/tecumseh_mower_engine_surging.pdf
    • http://nugawijuxuv.mywebcommunity.org/dr_aidin_salih.pdf
    • https://zanafulifefa.weebly.com/uploads/1/3/4/5/134596365/5236080.pdf
    • http://lnstagramoriginal.com/mercury_25_hp_bigfoot_4_stroke_service_manualopct8.pdf
    • https://zejikato.weebly.com/uploads/1/3/3/9/133997407/6ba1a9ae31c26f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://bejanifezilo.atwebpages.com/3908922711.pdf
    • https://a97be2a3-bfb5-42de-bba9-b145341b31aa.filesusr.com/ugd/1f2860_4f5c3fa062684646bc217c721f27dac8.pdf?index=true
    • http://pasifowon.atwebpages.com/the_awakening_nora_roberts_book_2_release_date.pdf
    • https://d56a38bf-d62e-453c-9b5b-5b2fe88aea46.filesusr.com/ugd/359e64_06021fa332c047208bd32e143988b434.pdf?index=true
    • https://626fb5af-1d67-41cb-86ce-204163677ff0.filesusr.com/ugd/9d869b_d7e1d478c0434a1f82db2fdedfaf0acc.pdf?index=true
    • https://387a498e-9551-4239-9507-3183ba214552.filesusr.com/ugd/cd403b_e25a1fc34ca447dc8abe8c42846ce182.pdf?index=true
    • http://famekuputoda.myartsonline.com/oxford_english_arabic_dictionary_free_download.pdf
    • https://18e7ef82-5c75-44fe-ae22-4c356c2c9ce0.filesusr.com/ugd/749e61_c08b68bb0f104dd4bac8612603fa6f37.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e952.bin
692246d9975e96a4f37d69d688cde732e229fc29845e06daaeda3c3c5f38c9b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE952 5112 bytes
font_01_sfnt_off0000fa93.bin
1e8431fb03391fcb642cafe4c6c96979b48090def36d0fa93c65d866f9b5baad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA93 2812 bytes
font_02_sfnt_off000106c6.bin
42f15f9715e740fcec634bc3593a1a0710eca23be7e10df84d5b235881ada834		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106C6 11940 bytes
font_03_sfnt_off00012dde.bin
a9e84e343cf57bdcfe90a5aabc0e22c5481708ebc4f7a101b255b3cd99feab99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DDE 16548 bytes
font_04_sfnt_off00014498.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14498 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.