Malicious PDF — malware analysis report

Static analysis result for SHA-256 15c1795493c7a8c2…

MALICIOUS

PDF

78.4 KB Created: 2021-03-17 15:11:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: f80918988892ac4461dea3cc5fa66b4f SHA-1: 94d8cf7fca55daf3935bea799cc40f6016d1bd33 SHA-256: 15c1795493c7a8c2b942336db2b9c0fe49203d11e2207d696b9616e6c2e59233
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable domains, suggesting it's part of a link farm designed to drive traffic or host phishing content. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a title that appears to be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=amplificateur+d%2527+instrumentation+pdf PDF link annotation
    • https://cdn.sqhk.co/lutadamafe/idhjjDP/vampires_wife_dress.pdfIn PDF document text
    • https://cdn.sqhk.co/pojuwudedi/VSqB1dY/song_hits_different.pdfIn PDF document text
    • https://cdn.sqhk.co/serodozire/ggSibZf/new_photo_editor_online_2020.pdfIn PDF document text
    • https://cdn.sqhk.co/tezofugowura/aijbjba/can_you_practice_free_kicks_in_fifa_21.pdfIn PDF document text
    • http://idealica-italiaoficial.site/33657920650ws8ah.pdfIn PDF document text
    • https://cdn.sqhk.co/xusovatovu/ciclHLh/golf_galaxy_in_warwick_rhode_island.pdfIn PDF document text
    • https://cdn.sqhk.co/tatudawo/cjgcVwp/table_tennis_scores_scoreboard.pdfIn PDF document text
    • https://cdn.sqhk.co/wanazofemuvu/zxUih3t/jurupigaz.pdfIn PDF document text
    • http://kigurumi.org/honeywell_econoswitch_home_depotffss4.pdfIn PDF document text
    • https://cdn.sqhk.co/norowitidot/chiihXo/pool_table_pocket_size.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/02ac1c95-c6c9-433b-8d9b-4cd606418963/xozesijopazevefitadubuxo.pdfIn PDF document text
    • https://c4cd0dbc-23d7-4f11-b65f-2561cec8abe5.filesusr.com/ugd/516793_b6f272c2570c4dc1a5d0e8cf9eb87cdf.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b1cbd8d7-6ec7-410d-833b-858f57adab80/what_does_a_bank_compliance_officer_do.pdfIn PDF document text
    • https://9505ca4c-dfdc-4941-8fde-ded35496d0c9.filesusr.com/ugd/2097ab_f1d14db8b41e47adb627ca5829b4f850.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/445c1a5a-3eaa-4820-beda-124c1084f87d/lesepuzuj.pdfIn PDF document text
    • http://desiwafinu.epizy.com/cloudformation_validate_template_yaml.pdfIn PDF document text
    • https://3ff4c494-4984-418a-b709-7a5c611cca0a.filesusr.com/ugd/adbee0_9e1efca90c79462bacf27a23c7204632.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c7fdc35-7bd3-4a36-87ae-f7ff7b951733/vawavusakegulot.pdfIn PDF document text
    • http://kuporalegumema.epizy.com/83649642522.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d19fb743-9877-4606-a968-a571e9f47227/i_wished_for_you_an_adoption_story.pdfIn PDF document text
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_7e9646985c9a4f62a42fe57221317d2c.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f22a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF22A 5324 bytes
SHA-256: 07e5325495352c63fc2a4035c71242aa8557fd90062a7c464d378a02ddf71c60
font_01_sfnt_off00010438.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10438 12088 bytes
SHA-256: f5dc1d8a6136c2b162a78b1b69bb689012c953f64088b7d596c6bf8464438e86