Malicious PDF — malware analysis report

Static analysis result for SHA-256 0127b84ba7388ef8…

MALICIOUS

PDF

111.8 KB Created: 2021-02-25 19:47:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-13
MD5: 2f0e16714e5aca5f1b090ab878ebd1ac SHA-1: fa7c2ac72ce02e0b61c31448254251997c868130 SHA-256: 0127b84ba7388ef885f7ee6e8793b02731825f34e574aaf306c7aec499baa254
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many pointing to disposable domains, and is flagged by ML classifiers and ClamAV as malicious. The document body, though partially corrupted, suggests a lure related to downloading a movie, which is a common tactic for phishing or distributing malware. The presence of external URIs and the overall structure indicate an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9887

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=descargar+pelicula+parasitos+sub+espa%25C3%25B1ol PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4402014/normal_5fce7d03341ff.pdfIn PDF document text
    • http://tijudozi.scienceontheweb.net/how_to_heat_my_coleman_hot_tub.pdfIn PDF document text
    • http://bewewafip.scienceontheweb.net/58538340882.pdfIn PDF document text
    • http://rivozuzeno.mywebcommunity.org/86805770648.pdfIn PDF document text
    • https://natutiwuv.weebly.com/uploads/1/3/6/0/136019317/sarekofejiziz.pdfIn PDF document text
    • https://cdn.sqhk.co/fazofasufiwu/bhaIRij/matixokiresitejozisegopi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4366367/normal_5ff402696adff.pdfIn PDF document text
    • https://xogukozatakik.weebly.com/uploads/1/3/1/4/131453421/aeba4.pdfIn PDF document text
    • https://zoxusikajikad.weebly.com/uploads/1/3/4/8/134851315/1133269.pdfIn PDF document text
    • http://lajodibibodi.getenjoyment.net/revexeku.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409997/normal_60000582042fa.pdfIn PDF document text
    • http://rilomenininun.getenjoyment.net/acer_aspire_e5-571_specifications.pdfIn PDF document text
    • http://mevukavotidu.getenjoyment.net/is_there_a_mortal_engines_2.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/numunenoji/38610492450.pdfIn PDF document text
    • https://s3.amazonaws.com/negonanopix/13748882374.pdfIn PDF document text
    • http://rosajeku.myartsonline.com/42177691560.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001132a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1132A 4272 bytes
SHA-256: 630201f0b900e3524faf37da42d596d71e067c647da8789cab0b00dec9befdb3
font_00_sfnt_off0000e860.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE860 7080 bytes
SHA-256: b7ce23f315245a000a702a1f95f653ef197a346674ed4bdd005d6f4d495cfa79
font_01_sfnt_off000100d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100D1 5452 bytes
SHA-256: 9b499db39c301801ca589fa4bdcc958a2ea2c52954d7472ae52cb62d4aaed00b
font_03_sfnt_off0001220a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1220A 4744 bytes
SHA-256: bee326060a3a7aab731972f264ad4c9790a760253c11d16379f060037629f63f
font_04_sfnt_off00013173.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13173 2480 bytes
SHA-256: b21b88feee5076897de334d3719d025233f7b36ef1f98cc656eb817296a3f25f
font_05_sfnt_off00013cc0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13CC0 6952 bytes
SHA-256: 9af463bfb14a7919846b9a39c73d3735e779d0c8eb6abcac8d9110a82f6fa749
font_06_sfnt_off00014f6b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F6B 1896 bytes
SHA-256: 426868031475cadaa1bad2ae17aa1923a0a31fae59147f151482c9dadd8b09a4
font_07_sfnt_off00015883.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15883 13440 bytes
SHA-256: 6f53d28b2efe7a3ae41dc6967694b185e9c95230ce5c3ae8fb12d458d3c829e9
font_08_sfnt_off000183ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x183FF 18060 bytes
SHA-256: d32a6cfc1e1f7434a052e1137a127e17c0e1a8d51fb3ed791b7fdcc6f81bd838
font_09_sfnt_off0001a026.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A026 2956 bytes
SHA-256: 562d86599ea380cb9e75e3211394ff9b40f64ce4a901319778b6b842e132db20