Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b246061fc0b1823…

MALICIOUS

PDF

82.8 KB Created: 2021-03-28 21:29:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: accfade3d3f239f2c5c2e6da9c6eb465 SHA-1: 67306f1b2ddc2cf2dace0d8a3c554666a051f020 SHA-256: 0b246061fc0b182393f4ae10f9f34301b7e15008cd71647904239cc9a9f02eac
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/123?utm_term=bd+police+job+application+form PDF link annotation
    • http://sesesuruko.mypressonline.com/19144917037.pdfIn PDF document text
    • https://cdn.sqhk.co/zimidenex/cje0sZK/vositabowobimexig.pdfIn PDF document text
    • https://cdn.sqhk.co/dokukavifig/gcSSgcG/54731260876.pdfIn PDF document text
    • https://cdn.sqhk.co/womalakifaxa/cNpijhj/47649559328.pdfIn PDF document text
    • http://ruguwafe.scienceontheweb.net/ravajunasupagalis.pdfIn PDF document text
    • http://pekibimige.mygamesonline.org/transistor_biasing_nptel.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bde4ce85-f952-4775-b2ac-a3fb1f5eea69/lyrics_of_7years_by_lukas_graham.pdfIn PDF document text
    • https://s3.amazonaws.com/tokudapele/play_boggle_online_free_no.pdfIn PDF document text
    • https://2521c3e2-5736-45bb-9381-71005f2ffa37.filesusr.com/ugd/c85705_dfa26080223c4846b975f16c03f34ff8.pdf?index=trueIn PDF document text
    • https://e4dd5bf8-bd13-43e3-b37b-9624b2564f03.filesusr.com/ugd/093416_51cb8233d3d94faa8bec99dbb93bd3d6.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/kavugusepe/comfort_file_ke_excel.pdfIn PDF document text
    • http://kikanelomer.onlinewebshop.net/2715534937.pdfIn PDF document text
    • https://s3.amazonaws.com/gowebabuxogiro/what_is_the_meaning_of_a_mechanical_pencil.pdfIn PDF document text
    • https://s3.amazonaws.com/jebupofedijakuk/metformin_in_pregnancy_pcos.pdfIn PDF document text
    • https://203e60c5-e32a-4587-ab6d-31d66de6d5b9.filesusr.com/ugd/014c36_35bcd3fbe2c0409c97a375ca30ea59a5.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d3edfe48-6261-4aea-a72c-9af6246a95b0/conversion_de_ml_a_gramos.pdfIn PDF document text
    • http://xogijowag.onlinewebshop.net/56597270283.pdfIn PDF document text
    • https://s3.amazonaws.com/lakadutof/third_conditional_exercises_worksheets.pdfIn PDF document text
    • https://s3.amazonaws.com/vetamedisoz/calc_series_cheat_sheet.pdfIn PDF document text
    • https://acd80754-3b70-42c6-a60f-3489f6261da4.filesusr.com/ugd/f1780b_c6c0e6f78d304690bb16a970cd1efec2.pdf?index=trueIn PDF document text
    • https://ef9935f7-a918-44a1-999f-f1d50a45e4a7.filesusr.com/ugd/b463f2_cbb5ad9ccbad49c7b8a3ea1921aa5785.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001040b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1040B 5388 bytes
SHA-256: 029a8ca21f1ddab78670b785a525d4de2b8d597370be7234145b8ee7a16fc5a8
font_01_sfnt_off00011651.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11651 11200 bytes
SHA-256: 4641f6ab8a9bf2bd771461bec2109cc508be24ef06f30f6b6f79846a3246f2d7