Malicious PDF — malware analysis report

Static analysis result for SHA-256 101a0b32bad97f24…

MALICIOUS

PDF

74.4 KB Created: 2021-03-11 20:04:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: c30a35157d2f4b9118d087797317e89b SHA-1: e9040426df7fc84efe71bd0feba7dd9f7e4d4f61 SHA-256: 101a0b32bad97f240a6487f6e0b8f341ef749bda8d127b8c89465c3db479207a
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to direct users to potentially malicious content or phishing sites. The presence of embedded URLs and the overall structure strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=psl+2020+live+streaming+in+india PDF link annotation
    • https://cdn.sqhk.co/pubamegumox/eji22qn/titan_quest_atlantis_walkthrough.pdfIn PDF document text
    • https://cdn.sqhk.co/zulatobi/Kthdhhp/rujov.pdfIn PDF document text
    • https://cdn.sqhk.co/xudekutof/A3clhgq/fun_masks_run_race_adventure_time.pdfIn PDF document text
    • https://cdn.sqhk.co/dokederajo/igtjYeT/65685270890.pdfIn PDF document text
    • https://cdn.sqhk.co/kakapoxavu/OMtibig/read_along_children_s_books_online.pdfIn PDF document text
    • http://gimatadokij.mygamesonline.org/echo_gt-225_weed_wacker_parts.pdfIn PDF document text
    • https://cdn.sqhk.co/vetejevibas/ZThbpha/fire_and_water_new_adventure.pdfIn PDF document text
    • http://woziwowariv.sportsontheweb.net/stock_market_crash_1987_effects.pdfIn PDF document text
    • https://cdn.sqhk.co/tufiroxova/jsdeib6/virus_card_game_walmart.pdfIn PDF document text
    • https://cdn.sqhk.co/kagurase/v7igijc/lock_screen_windows_10_disable.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/383cd528-503d-4baf-98f0-230e7c919626/how_do_i_connect_my_zagg_keyboard.pdfIn PDF document text
    • https://7c8f45b7-e058-4e27-bccd-8ee7dcb26900.filesusr.com/ugd/d5cf39_3c11d3e66ae24942adff035df37156a1.pdf?index=trueIn PDF document text
    • https://0b7b936c-93ac-4a60-9644-6ba220b934cc.filesusr.com/ugd/b4bf80_66205f22e9a540479898b69f01da411e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/420a0743-c299-43be-9e1c-8d42384849b8/using_the_graph_below_calculate_the_density_of_the_salt_water_solution.pdfIn PDF document text
    • https://8772a198-af03-49ef-8724-5feb7546cb8a.filesusr.com/ugd/436f04_090c157dd32845a1a7efcf05e10b13e8.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/de2463ef-aedd-4e0d-9a04-14b4cc91d731/ap_human_geography_chapter_7_ethnicity_vocabulary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1de24368-4d9f-454a-b586-442284a645e3/how_to_test_power_supply_without_pc.pdfIn PDF document text
    • http://zeroxezubanalil.onlinewebshop.net/data_analytics_made_accessible_2020_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1506441-44ad-42f0-9822-a49b3a8a20be/icewind_dale_enhanced_edition_change_resolution.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1f2da01-fa60-4727-874f-eb4b7edac03b/vilisuzolirovopekix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad02fff8-1a98-46f2-84b8-906711f3cf50/salario_minimo_para_empleados_exentos_puerto_rico.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f9d2475-d3de-45b5-9f93-adb7f8c88b01/international_finance_newspaper.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6BA 5480 bytes
SHA-256: 77b026c314c8b885f00cbf33e6bdcb18b0d0bd2466e521d735efe0a9e17e88c2
font_01_sfnt_off0000f94e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF94E 10208 bytes
SHA-256: aa207db5ad6e3e2c3da1b66e023a29bba6648ffd9a2970084ef0c48c80266768