Malicious PDF — malware analysis report

Static analysis result for SHA-256 1251ce57ff870a02…

MALICIOUS

PDF

74.7 KB Created: 2021-06-10 21:13:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 64e59764c7b866b3634068fe75d9a4ea SHA-1: 1ea92c55e4871146fb5061be26e30c1b2a028a87 SHA-256: 1251ce57ff870a022c32f4d5de0900cad5e96e3151aaf89ebdcfc6fd1d22a6e5
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses a password-protected-archive lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=capital+humano+cdmx+recibos+de+pago+2020+pdf PDF link annotation
    • https://xifutasuwisesa.weebly.com/uploads/1/3/2/3/132302919/nasix.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4492588/normal_5fc9ec1b015e5.pdfIn PDF document text
    • https://wufezaju.weebly.com/uploads/1/3/0/7/130738917/3940293.pdfIn PDF document text
    • https://tupalewituto.weebly.com/uploads/1/3/2/6/132682563/gofimujuxedu.pdfIn PDF document text
    • https://kekulewu.weebly.com/uploads/1/3/4/3/134398637/zaluribidumunoximeno.pdfIn PDF document text
    • https://gabavogafev.weebly.com/uploads/1/3/4/0/134000006/2216068411ee.pdfIn PDF document text
    • https://jumifusat.weebly.com/uploads/1/3/4/6/134629025/makumo_rutavupura_noleb_pizuzufefuze.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413126/normal_605f61b3a4f29.pdfIn PDF document text
    • https://labudadujuw.weebly.com/uploads/1/3/1/6/131637223/7e15ed0f6ebfb.pdfIn PDF document text
    • https://vijapuloxo.weebly.com/uploads/1/3/0/7/130775263/wokulilefutef_nenob_mogavakosunuro_nusixidugene.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gitefov.pbworks.com/f/66228227987.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e08d4bba-08bd-4a49-8782-f373cf0ab0f6/how_to_insert_sd_card_into_samsung_a70.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c9e6dd9-e1fa-4240-b727-c2d7500416f5/84187682379.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68f51dff-ed80-4dee-91ce-efc7965d4e53/kigebarosowiviwumojox.pdfIn PDF document text
    • http://lopofemusun.pbworks.com/f/joruwazajizoguxewa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c152bb1e-f6f1-4dbb-8eb9-87d326d31b94/zilimajefepuguriwoguno.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ac179fc-242c-4741-9234-38ff8d9ffe8e/how_to_use_wd_my_passport_2tb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c84cf0b6-1fa8-47ee-96cc-c54b6e56cd5e/is_the_maze_runner_a_childrens_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c83eda1f-0767-4ee3-9973-f76c470afc43/76260076664.pdfIn PDF document text
    • http://jolunatimavu.pbworks.com/w/file/fetch/144599493/idle_heroes_redeem_codes_2021_reddit.pdfIn PDF document text
    • http://fobimexus.pbworks.com/f/binary_text_decoder.pdfIn PDF document text
    • http://bawamotijeku.pbworks.com/f/how_to_use_stanley_1000_amp_jump_starter.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e01c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE01C 5956 bytes
SHA-256: df91d86340b443f0a435dd919f0605f39f64f57f4bf048e4e25b648de72f05ed
font_01_sfnt_off0000f42e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF42E 12008 bytes
SHA-256: 3a70b8387cb95f620939de2ba5d6c116d7bfad702b62c246ce16e28e82156c24