Malicious PDF — malware analysis report

Static analysis result for SHA-256 05bcdd2acef04270…

MALICIOUS

PDF

85.9 KB Created: 2021-04-10 22:40:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: ae50983eb22c53fd722f5964cb878f49 SHA-1: 72aa6856a08318f0778ac31bf0824e0ca95f6bb6 SHA-256: 05bcdd2acef04270ba7c53e96270828aa60b08abd40e68b01148685739025d1b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=ga-100l-1a+g-shock+ga-100+military+series+watch PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4445331/normal_603424e39bf9f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466408/normal_605b66c22c131.pdfIn PDF document text
    • https://cdn.sqhk.co/mosepoxik/dJGhqzc/zotabun.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478408/normal_602705f1ce438.pdfIn PDF document text
    • https://cdn.sqhk.co/fasegibuniz/Ngdigib/usar_cabify_en_madrid.pdfIn PDF document text
    • https://cdn.sqhk.co/nulusezitelo/ijKG7hg/mod_bed_wars_for_mcpedl.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489035/normal_6047b2d74cc63.pdfIn PDF document text
    • https://cdn.sqhk.co/tidelefuzin/bfhgL2i/anonymous_browser_apk.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/lodazojamuva/91745576106.pdfIn PDF document text
    • https://s3.amazonaws.com/limewub/guvexadonokekutop.pdfIn PDF document text
    • https://cf268418-7549-4780-9cff-e39e61b5276c.filesusr.com/ugd/0b1cf2_e0d9361dfceb4a59bc3b366a2e3721ee.pdf?index=trueIn PDF document text
    • https://81d89a68-18ac-4cf1-ad00-ddd5d2f7da41.filesusr.com/ugd/ed58ef_41edeaab7dc24e8bbe118a2a35504170.pdf?index=trueIn PDF document text
    • https://e82ff0bd-cb1a-4782-8b92-0a0fb7657660.filesusr.com/ugd/d17951_ab8f9bfbdca14812bb8393c01193df86.pdf?index=trueIn PDF document text
    • https://01c4c9a3-ee74-4db9-a65d-799443b8dbf1.filesusr.com/ugd/a64c8c_8d86f9d019e04cf283abf9413bf944cd.pdf?index=trueIn PDF document text
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_b6b80c723e3d422cbbb2f7cbbdbac35f.pdf?index=trueIn PDF document text
    • https://6cf80756-66c2-4d2e-b15d-ff1677cb7115.filesusr.com/ugd/2257e8_b7068aff57da42c9b67b6ab169a1f4d9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gafedupeba/delonghi_nespresso_lattissima_touch_coffee_machine_-_white.pdfIn PDF document text
    • https://ebc1add8-0b9d-418e-9e4a-1e287827e933.filesusr.com/ugd/ab63e3_2685ed94133e46d09f2337f319181cb2.pdf?index=trueIn PDF document text
    • https://bea00909-aa88-4d38-ac88-e56db460b486.filesusr.com/ugd/923104_9b0082238133458b8b50e8baab9c9a9c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gixirojozogufux/nubude.pdfIn PDF document text
    • https://6593eeda-10fe-4128-810f-cbbc79f0a4f8.filesusr.com/ugd/c0a4bf_c2988aeb8a47478988eb03d4afeb54b9.pdf?index=trueIn PDF document text
    • https://3f735f5a-cd1c-4288-bd93-adeff6e084d9.filesusr.com/ugd/bcc0e4_79f22fc1aeb24ea89cff71cf1ef3333f.pdf?index=trueIn PDF document text
    • https://459fb65c-52af-4c88-885a-43a44fbeaf25.filesusr.com/ugd/6a7407_67140d4070b5496394158712da1d9be2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rujabepifar/sad_girl_face_pic.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010161.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10161 5408 bytes
SHA-256: 5ca70493c1b4975e86d8f08f7f6273dddbf9aa0f4710114c16372093a077b242
font_01_sfnt_off000113e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113E4 11056 bytes
SHA-256: 096441cc860fe9f251956987649a37f80183355f1fa045855302c50232e6f9e7
font_02_sfnt_off000139a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x139A0 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333