Malicious PDF — malware analysis report

Static analysis result for SHA-256 106d4d1d0c923118…

MALICIOUS

PDF

86.7 KB Created: 2021-03-23 05:47:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 9b0f105e33d939da222016a9075eb53b SHA-1: 1be174f232ca93ac5a52ddb04bebe7336e106977 SHA-256: 106d4d1d0c923118a362aa872a189a3fce28c536ee324f0bae94f8c3d79ed655
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=pearson+precalculus+11+textbook+pdf PDF link annotation
    • https://cdn.sqhk.co/xituvusaw/T4Chhhh/pevomazepukubomexo.pdfIn PDF document text
    • http://baugroup.info/xumuxitafijoxapelobomunad6vgu.pdfIn PDF document text
    • https://cdn.sqhk.co/matikefateri/cFhgiid/retro_popcorn_maker_bed_bath_and_beyond.pdfIn PDF document text
    • https://cdn.sqhk.co/gidenateg/ihWbier/75061824318.pdfIn PDF document text
    • https://kutowovazamil.weebly.com/uploads/1/3/4/3/134362820/dozukexezupobit_xofif_kovapager_guvuvukux.pdfIn PDF document text
    • https://cdn.sqhk.co/sixepatexup/3GqgfLi/mini_militia_doodle_army_2_hack_mod.pdfIn PDF document text
    • https://cdn.sqhk.co/jezaziritav/hjwaYjg/50371478585.pdfIn PDF document text
    • https://dabusoze.weebly.com/uploads/1/3/4/5/134585091/lerirulosofese.pdfIn PDF document text
    • https://cdn.sqhk.co/lepavenujal/ovZihCN/xunal.pdfIn PDF document text
    • http://qwertyujg.xyz/taylor_ice_cream_machine_161_manualzdhxq.pdfIn PDF document text
    • https://cdn.sqhk.co/vupapevixu/vhesKhi/16147792220.pdfIn PDF document text
    • https://taleputara.weebly.com/uploads/1/3/4/3/134305900/689182.pdfIn PDF document text
    • https://cdn.sqhk.co/baruduwege/djggcgj/sk_lavery_moving_to_newington.pdfIn PDF document text
    • http://finansi-7.online/catalogo_inglesina_20190eojt.pdfIn PDF document text
    • https://ripapexogona.weebly.com/uploads/1/3/0/8/130874469/xivizubojisiteduroj.pdfIn PDF document text
    • http://idealsit.fun/bulazovigamuxutam2rfyv.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b14da5ff-e31f-4326-89f5-ef8532c75b8e/3752929807.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5428330-7c69-421c-beaa-0386880e207e/g_shock_ga_110gb_fake.pdfIn PDF document text
    • https://c9b0c9dc-51ad-46ec-84b2-dbc26df53712.filesusr.com/ugd/b6f588_28696619d1924600bfef0e89dd1951db.pdf?index=trueIn PDF document text
    • https://5c51e3d7-2896-491e-a255-1b002e356b93.filesusr.com/ugd/5b6ce5_6fe8d8896a76414eb83b5d5da624c63c.pdf?index=trueIn PDF document text
    • https://f06ae689-34e6-4fd9-b749-a5985747e370.filesusr.com/ugd/4117a9_5373110eaa5e454dbc1234c5d588bc7e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/74f2f2ad-71bc-471b-abfb-5e2198f84d1d/kepevan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4914ffdb-16e1-469d-921d-7dee1aef383b/plate_tectonics_crossword_puzzles.pdfIn PDF document text
    • https://238a82c5-85a8-4641-a991-2f0f5270ddc4.filesusr.com/ugd/63f22d_fc92ea2f8a674e1394acf5afc554d4b8.pdf?index=trueIn PDF document text
    • https://7e8267f5-6380-480e-ad72-df526eaefc07.filesusr.com/ugd/cbe325_9e11a5b67a294f77b38d9a9ae1900a38.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011332.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11332 5476 bytes
SHA-256: 788ab8407326cc2ea6760b6fd20dcd4d22309ef095891becb0ab846b9c1a1486
font_01_sfnt_off000125e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125E0 11576 bytes
SHA-256: 8bc0f3aab4a7b528f09bb3d2a9b13ec3eb9e13bcdbdb899728c27a576a892ba7