Malicious PDF — malware analysis report

Static analysis result for SHA-256 0860cc8505d640cf…

MALICIOUS

PDF

80.3 KB Created: 2021-06-03 20:02:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 651567511ee9ef9add2f4f870809826b SHA-1: 35592c6f2a8c3b85ad1ad55433f857bcddd2bf9a SHA-256: 0860cc8505d640cf42a86a70b24781d4154e0544148101076f433d0290aa364f
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=palabras+para+dictado+sexto+de+primaria PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4427313/normal_603e322651400.pdfIn PDF document text
    • https://kenafowipadile.weebly.com/uploads/1/3/1/4/131437871/mupubalekadowen.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464869/normal_603cb807bb2d8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490754/normal_606541e34bd31.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446015/normal_604404bc913ef.pdfIn PDF document text
    • https://kutusavirub.weebly.com/uploads/1/3/4/2/134265758/rugutanak_simiremiwoju_jetozut_gobowuxifada.pdfIn PDF document text
    • https://bupulaserora.weebly.com/uploads/1/3/1/4/131437689/kazugubulajupowegel.pdfIn PDF document text
    • https://kupuluxipopanan.weebly.com/uploads/1/3/3/9/133999353/e3f858f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/2763eb44-217a-4845-a0ed-468cfde78f1b/vitamix_5000_replacement_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12b965a1-8c4e-4e2d-9900-c754379ecbd0/what_conditions_and_or_raw_materials_are_necessary_for_photosynthesis_to_occur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2eb1b42e-d1e3-4ceb-857b-ac4fa8adc311/nebenezixatevawiki.pdfIn PDF document text
    • http://jajafad.pbworks.com/f/xupegufuli.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7303d304-b719-4a4a-ae8b-5efe9ef436db/halex_electronic_dartboard_wood_cabinet.pdfIn PDF document text
    • http://lekuzax.pbworks.com/w/file/fetch/144420828/planeta_dos_macacos_o_confronto_assistir_online.pdfIn PDF document text
    • http://vafobotigef.pbworks.com/f/molonaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c12f247-f2f6-4320-a0d8-2d8c6934286f/traductor_frances_espaol_en_linea_gratis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2c4880d-95c0-4458-9871-7174d920818e/vagitoborogozakadijegaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac0434a5-3f26-48d2-8afc-90a3a4ffdb6c/technivorm_moccamaster_user_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa2952c5-8075-4c4d-af68-88318a72e6cd/86761343569.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fb6dc53-8852-4510-839b-f48eff364730/xodixefexofibolon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ecb793c5-ea04-4d2f-aef7-dc9bde214cef/pit_bike_engine_mount_bolts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de795985-5c0e-4400-af48-b5d35e080c74/66972182219.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb35067f-69e8-4d34-b90d-b2ec7e079b15/cartomancy_card_meanings_love.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f98b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF98B 5428 bytes
SHA-256: 07bc2822bd29d66390178996f0a3e03117432a243e8296c10b2df4c7da20c341
font_01_sfnt_off00010be7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BE7 11724 bytes
SHA-256: 7c9c7e50d445ba3da4d3810cd6d83324606a726cfd6e39a05036a880371feaa7