Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c282f9a8e7fabf2…

MALICIOUS

PDF

76.2 KB Created: 2021-04-25 21:55:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 6fcf55650cb08852b0ae3f2e4bd1e5db SHA-1: ee8d8509510f275620e5d23a53b550cf38030ef6 SHA-256: 0c282f9a8e7fabf295f239761c189687894e42bafc1511f2c59a43e055ce66da
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded JavaScript payload that likely attempts to download and execute a second-stage payload from a remote URL. The document body and metadata suggest a lure related to downloading PowerShell, which is a common tactic for distributing malware. The presence of numerous external links, many pointing to PDF files, indicates a potential link farm or distribution network.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=powershell+5.0+windows+2012+r2+download PDF link annotation
    • http://xegisepereti.mygamesonline.org/synthesis_of_phenyl_benzoate_from_phenol.pdfIn PDF document text
    • http://changely.club/93552643069ootee.pdfIn PDF document text
    • http://about-central.com/75313527200lulb7.pdfIn PDF document text
    • http://digitalmicroteter.xyz/315988420617n7kl.pdfIn PDF document text
    • http://pinenud.mygamesonline.org/gewumovawakeloto.pdfIn PDF document text
    • http://1xbet-registrat.site/ideas_principales_del_cuento_la_gallina_degollada24d3a.pdfIn PDF document text
    • http://help-violation.com/2520770484l64v5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/povelenavuviw/number_flash_cards_printable.pdfIn PDF document text
    • https://f1ddcea9-c323-452c-a4d3-aaefec61e50a.filesusr.com/ugd/defd8a_7314ebc7490e480eb226137cab7ba517.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bajapovogam/pasomevazijep.pdfIn PDF document text
    • https://s3.amazonaws.com/jefazaxal/1-_300_blacksmithing_guide_vanilla.pdfIn PDF document text
    • https://s3.amazonaws.com/farefasejikap/xewaxoredefefivawogu.pdfIn PDF document text
    • https://s3.amazonaws.com/farefasejikap/nigipewijupodo.pdfIn PDF document text
    • https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_4fe69d3842e14e21a5b2e02a6d06bc53.pdf?index=trueIn PDF document text
    • https://064d663d-f6b2-44cf-a6ad-083da5f315e5.filesusr.com/ugd/77eba6_a6e329b0723b41bea4cb017761d05331.pdf?index=trueIn PDF document text
    • http://vepitejususas.atwebpages.com/korean_embassy_visa_application_form.pdfIn PDF document text
    • https://s3.amazonaws.com/zerepuzuze/titulos_de_credito_acciones_caracteristicas.pdfIn PDF document text
    • https://19972ee8-34f0-4900-8009-9f590161cd02.filesusr.com/ugd/64db51_c2614186851f45439ed44c13bd8fb829.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sesijesule/cliffs_of_dover_bass_sheet_music.pdfIn PDF document text
    • https://656adf98-7a81-40bd-8d0f-2b9c27d09201.filesusr.com/ugd/268ab1_69fba9555a984a088814157bba43bb33.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00012b5d.bin pdf-embedded-script PDF raw stream script payload at offset 0x12B5D 1646 bytes
SHA-256: 1aabd8dd84b37658616f05ba0585209dbb9ad02a303e48041a734cca9f0a0d6e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Mobipocket Creator'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

 <rdf:Description rdf:about=''
  xmlns:dc='http://purl.org/dc/elements/1.1/'
  dc:format='application/pdf'>
  <dc:creator>
   <rdf:Seq>
    <rdf:li>Rarenepu Nidewohuko</rdf:li>
   </rdf:Seq>
  </dc:creator>
  <dc:description>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Powershell 5.0 windows 2012 r2 download.   Please edit this document if you spot an error or if you want to add information. Backward compati</rdf:li>
   </rdf:Alt>
  </dc:description>
  <dc:subject>
   <rdf:Bag>
    <rdf:li>Powershell 5.0 windows 2012 r2 download.   Please edit this document if you spot an error or if you want to add information. Backward compati</rdf:li>
   </rdf:Bag>
  </dc:subject>
  <dc:title>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Powershell 5.0 windows 2012 r2 download</rdf:li>
   </rdf:Alt>
  </dc:title>
 </rdf:Description>

 <rdf:Description rdf:about=''
  xmlns:pdf='http://ns.adobe.com/pdf/1.3/'
  pdf:Producer='Mobipocket Creator'/>

 <rdf:Description rdf:about=''
  xmlns:xmp='http://ns.adobe.com/xap/1.0/'
  xmp:CreateDate='2020-08-16T11:10:38'
  xmp:CreatorTool='Mobipocket Creator'/>

 <rdf:Description rdf:about=''
  xmlns:xmpMM='http://ns.adobe.com/xap/1.0/mm/'
  xmpMM:DocumentID='bfe432c6-0f14-46f3-a45b-d35c9d95957a'
  xmpMM:InstanceID='d9353fef-eebe-4166-b87a-307b396ad925'/>

 <rdf:Description rdf:about=''
  xmlns:xmpRights='http://ns.adobe.com/xap/1.0/rights/'
  xmpRights:Marked='True'/>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='w'?>
font_00_sfnt_off0000e949.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE949 5488 bytes
SHA-256: 3726f943d1c56ccceb2ed75886f626b33de8cdde20142c9e9643bc17cffc2e29
font_01_sfnt_off0000fc10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC10 11544 bytes
SHA-256: 1711ab48cc0c9d469e09c7e84225b73824bf9d8d130e52e65cc125b973b7e91d