Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d1c8c470a427a99…

MALICIOUS

PDF

73.3 KB Created: 2021-09-18 03:56:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: ce5cf04a0693ddc3c1295e7ce08c5885 SHA-1: a2a3ed163daa2e3900408c262beac2880dc8cc04 SHA-256: 0d1c8c470a427a9931a6298ca9a9671135b627949b58d8003f2aa22f4b6b5540
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier, indicating malicious intent. It contains numerous embedded URLs, many of which point to disposable hosting and are part of a link farm, suggesting a phishing or malware distribution scheme. The `wkhtmltopdf` authoring application is unusual for a malicious PDF, but the overall structure and heuristic firings strongly suggest a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9909

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=the+princess+bride+screenplay+pdf PDF link annotation
    • http://barudan.hk/UploadFile/file/20210901105902352.pdfIn PDF document text
    • https://auditorescr.com/ckfinder/userfiles/files/36436934751.pdfIn PDF document text
    • http://kleinschadenexperte.de/userfiles/file/57340075453.pdfIn PDF document text
    • https://jills.reviewz.eu/app/webroot/files/userfiles/files/zugutizevaxu.pdfIn PDF document text
    • https://bucatariizidite.ro/printuri-fi/files/nixup.pdfIn PDF document text
    • https://universitecentrale.net/uploads/FCK_files/file/37840702276.pdfIn PDF document text
    • http://farmina.ru/uploads/files/88120208210.pdfIn PDF document text
    • http://itagqatar.zajeltel.com/itag/file/files/jogagusutorevevoxetokanan.pdfIn PDF document text
    • https://transdeliveris.lt/userfiles/file/kobal.pdfIn PDF document text
    • http://elrey-uslugi.ru/media/file/kedekemabamulefevuwegone.pdfIn PDF document text
    • http://johnlillylaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/23571472636.pdfIn PDF document text
    • https://promoform.coreform.it/uploads/file/virasumoxegugiroronen.pdfIn PDF document text
    • http://pc-driver.ru/userfiles/files/vubizikesezuj.pdfIn PDF document text
    • http://www.ortodonciaelisafarache.com/ckfinder/userfiles/files/zamekun.pdfIn PDF document text
    • http://moveisgarciadigital.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1612ec324103a6---88358192524.pdfIn PDF document text
    • https://epagneuls-bretons.fr/caningest/images/file/69836147273.pdfIn PDF document text
    • https://inprovitecuador.com/ckfinder/userfiles/files/47339490076.pdfIn PDF document text
    • https://dolupin.com/calisma2/files/uploads/75595019635.pdfIn PDF document text
    • http://travelport.pl/userfiles/file/wezilajafodekujugak.pdfIn PDF document text
    • https://holcom-wd.com/webroot/img/files/47343957623.pdfIn PDF document text
    • https://aydin-elektrik.com/resimler/files/20384120999.pdfIn PDF document text
    • http://ibconsulting.it/userfiles/files/pukigizebu.pdfIn PDF document text
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16143f3bbb2543---rinefatilabulivulaka.pdfIn PDF document text
    • https://ximatinhdongnai.com/app/webroot/files/images/pages/files/fofinurojafivumudo.pdfIn PDF document text
    • http://www.hkimm.hk/_bin/ckfinder/userfiles/files/jotina.pdfIn PDF document text
    • http://4chan.ro/UserFiles/file/sejefegosamipurejoluxa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000baee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBAEE 10716 bytes
SHA-256: cfa2a728b72c68b1774bd58b4090c9df66ba43441a2698df58e2cc2f0f52c501
font_01_sfnt_off0000d33c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD33C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0000eb4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4E 17028 bytes
SHA-256: 63931451fb073a36bf64201be133498a680e9dd1a30ba67b36dfebfe2eb3754a