Malicious PDF — malware analysis report

Static analysis result for SHA-256 043d6b86e1d5d41d…

MALICIOUS

PDF

127.2 KB Created: 2021-03-20 01:16:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: a3127a7d63750b9f75e44da7791bffc4 SHA-1: f3f59849f68202448bcc078ae7a779191de96f06 SHA-256: 043d6b86e1d5d41d053459c050c490e670ae8c665ad4dd453809a5c28c0f940e
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no explicit script was found, the PDF structure and external links are indicative of a phishing or SEO spam campaign, likely leveraging embedded JavaScript for redirection or further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9609

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=whatsapp+emoji+meaning+in+malayalam+pdf PDF link annotation
    • http://hookup154.space/dajexublbihj.pdfIn PDF document text
    • https://fuwurobo.weebly.com/uploads/1/3/0/8/130814642/fegizojapumit.pdfIn PDF document text
    • https://wunenogapo.weebly.com/uploads/1/3/4/5/134509221/1838887.pdfIn PDF document text
    • https://wisiwojapano.weebly.com/uploads/1/3/4/8/134896472/4fac06c7.pdfIn PDF document text
    • https://gataforebulor.weebly.com/uploads/1/3/4/3/134337884/wodixaxijufufa_borizasadi_zoxaruketojesow_rixoda.pdfIn PDF document text
    • http://ylyn.ru/78019013632broq7.pdfIn PDF document text
    • https://lapawiniposa.weebly.com/uploads/1/3/5/3/135323982/20e295.pdfIn PDF document text
    • https://wutejaguruloz.weebly.com/uploads/1/3/1/8/131871665/2624976.pdfIn PDF document text
    • https://jowatoziji.weebly.com/uploads/1/3/4/8/134893097/9450186.pdfIn PDF document text
    • http://triple-doska5.club/whatsapp_status_er_apk_appz8bpg.pdfIn PDF document text
    • https://bimuwosexiwo.weebly.com/uploads/1/3/1/1/131164043/koregax.pdfIn PDF document text
    • https://bitoxogosem.weebly.com/uploads/1/3/4/3/134386372/7982408.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409796/normal_6043f7f4ac021.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458148/normal_60255fb855e32.pdfIn PDF document text
    • https://kololeranazi.weebly.com/uploads/1/3/4/5/134583506/3050638.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405195/normal_60026ab5356e4.pdfIn PDF document text
    • https://lazekikobetilof.weebly.com/uploads/1/3/4/4/134443651/gubixatago.pdfIn PDF document text
    • https://topifovav.weebly.com/uploads/1/3/4/5/134595147/6123504.pdfIn PDF document text
    • https://motovonesavot.weebly.com/uploads/1/3/4/6/134690882/3785864.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_506bc196e0c442cd88ddddab07c11960.pdf?index=trueIn PDF document text
    • https://59e5a08b-0d8d-455f-a3a7-35a3b781ab3e.filesusr.com/ugd/784815_72a5184caa8943f580667073ed749589.pdf?index=trueIn PDF document text
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_dd9a2288908f49a7bbbf7778c07fb823.pdf?index=trueIn PDF document text
    • https://00eaa6b3-f026-4720-b00f-fafb40066352.filesusr.com/ugd/d498be_70c95298e06a4775b3c72795d8002703.pdf?index=trueIn PDF document text
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_701d22de986342b7b088da1a6f11f253.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00014261.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14261 1540 bytes
SHA-256: 496bf527228802f70ed0cc252007dd9ee4e3fc3a20ba377a1a00aecd615d5bdc
font_00_sfnt_off0000fcbd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCBD 7280 bytes
SHA-256: 15df4a5b918cc583a6012f18b62ac3d66c69bd5dae59d85d52ba86760d6a1b2c
font_01_sfnt_off000113a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113A2 5548 bytes
SHA-256: b02b269e7d0d82d64323140500c86c3ed4adc515144c0d8801db589af3dd97f9
font_02_sfnt_off0001263a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1263A 7480 bytes
SHA-256: c3010de1a5703f62f10ec9ac20e928a43fe2385a5312e1b37926acc77fcb6781
font_03_sfnt_off00013825.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13825 2892 bytes
SHA-256: 13e73383c2a55a782638216536e7e5cf425a8dfe691d2354f7345a42b5dd7e6c
font_05_sfnt_off00014aa6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14AA6 1500 bytes
SHA-256: b2d5952860abc0d83a53029411fa08ccab38d3e4f2385d065fa2c527805db702
font_06_sfnt_off000152d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x152D9 11144 bytes
SHA-256: 647dac4f08e9d8021c4c9b36053910f1fa0b83e6663ef3b4025ad6bc718fbe08
font_07_sfnt_off000176e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x176E3 14968 bytes
SHA-256: 7de7f5c13133be930ff3317ae799e67f2b8e82c36c49fec777379700e29eb2b3
font_08_sfnt_off0001a58e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A58E 37756 bytes
SHA-256: ec1855f0d8f51c1db1f15a2ec2c6f574787c0f04953d3792879d4f3be0aa7b3a
font_09_sfnt_off0001da10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1DA10 6252 bytes
SHA-256: ef3adb5940ed2f3f6fc80d7a92d23b1f68ff332a9cdd4cbc67962a714d099142