Malicious PDF — malware analysis report

Static analysis result for SHA-256 12ca0b44812b21a9…

MALICIOUS

PDF

98.4 KB Created: 2021-04-02 00:36:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 9b6525be80980aca2265df1f7fc9054a SHA-1: e1683f48420201a1b648a7fd203a8649ce395f39 SHA-256: 12ca0b44812b21a911391cc57a11be2323a1264f4a5a62cfe474b15f8bd69afa
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains numerous external links, many pointing to disposable hosting, and employs a social engineering lure to trick users into installing a browser extension or update. This behavior is indicative of a phishing or malware distribution campaign. The presence of a link farm and the 'browser extension installation lure' heuristic strongly suggest this document is designed to facilitate further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=oracle+12c+client+installation+on+linux+prerequisites PDF link annotation
    • http://smartcoin.design/wurumotakuk7vfxd.pdfIn PDF document text
    • http://onesmall.space/the_art_of_taking_action_gregg_krechs8q8s.pdfIn PDF document text
    • http://pozuvixa.getenjoyment.net/wovopunoxevumitojitodo.pdfIn PDF document text
    • http://xelasurugopu.mywebcommunity.org/22443926185.pdfIn PDF document text
    • http://vazagitomis.mypressonline.com/wawakotawuk.pdfIn PDF document text
    • http://zizodoroluxonaf.sportsontheweb.net/berichtsheft_vorlage_download.pdfIn PDF document text
    • http://nanamojuvimujo.medianewsonline.com/what_was_abraham_lincolns_early_life_like.pdfIn PDF document text
    • http://opsnatur.fun/ezi_wire_windscreen_removalp8o74.pdfIn PDF document text
    • http://vodoroding.info/blossom_blast_saga_apk_uptodownciw4r.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f001f406-0c68-424a-a432-66fd50ee0a7c/iso_iec_31000_risk_management__principles_and_guidelines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d800f7cf-32c4-4b7d-8fea-ee4115c319ff/bedeburikikomunazoxotide.pdfIn PDF document text
    • https://d0570615-6cc6-4b78-9a9c-590639bc525b.filesusr.com/ugd/30850e_4633d2d2f9f844849e1afb520cde389a.pdf?index=trueIn PDF document text
    • https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_9358750d98af481480d2fff82a11811e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c07ffba4-2967-47be-9640-293dfe19c86f/kung_fu_panda_legends_of_awesomeness_episodes_season_1.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/14cfea77-53bb-4f0b-999e-c4a322603482/gobasakutusekusozifen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1e1095c-da9f-49e5-a8a0-fed473568c24/nubobegiwokezarisemaji.pdfIn PDF document text
    • https://e05653fc-386e-4c8b-889d-738aee72c63e.filesusr.com/ugd/62421a_41589cf664114c94a0062d3e0fd9800a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bebfa0ed-bb9b-420f-a689-503cb214b35e/letefoma.pdfIn PDF document text
    • https://57e596f1-a2cf-4e3c-9ba9-dc8e42e7d639.filesusr.com/ugd/1e1da7_c82850391e474699978f7c0bcf94ce0e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b6f10c3-5bcc-4b47-92b4-e02edcb8fe55/golf_buddy_l10v_rangefinder_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61eb41ee-d1ba-49fa-8e50-cb2fcca8d86e/lamborghini_murcielago_2020_precio.pdfIn PDF document text
    • https://229c0a76-8cd2-4a6d-ad64-a548a1436bbb.filesusr.com/ugd/f9ed01_569726789ac246ba93fc64e5fe8f5d60.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/dd97bbcf-be95-4c18-accf-0c997e706365/80125636847.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ae0bcad-5806-4272-a0c1-45388cc345be/77514574857.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa787738-3d87-40d5-a645-c3ede3517206/grafico_mapa_de_riesgos_excel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d61a22c-2918-494a-809d-18557441f395/49327586520.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/edfe390b-8714-47d6-8140-b1f67d367360/78103499418.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a99ab4a-0985-44b8-9e13-b523d05461fb/cappuccino_blast_dunkin_donuts_calories.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000141ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141EA 5332 bytes
SHA-256: 57fd1ccc00c2bda1a3666e83910aa43b6254a2b7edafcbaf14ad816cf9005b84
font_01_sfnt_off00015426.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15426 11520 bytes
SHA-256: 9be3febe1af6765fbeff27b9a6b7d5023f05f29fb5ea86a404b60f922964e39d