Malicious PDF — malware analysis report

Static analysis result for SHA-256 17999f94aba5515d…

MALICIOUS

PDF

86.9 KB Created: 2021-09-20 08:43:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 4db5eb259eaf3e3198fdface85105984 SHA-1: 66b766a0a594af7cc57d51bb11f928aa734a81e8 SHA-256: 17999f94aba5515d1cdf7d760d3885d4e6135d9f2f9f41b343d0aaf10c4e59bc
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and numerous external URIs, many of which point to disposable hosting and are used in a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware. The embedded JavaScript is a common technique for executing malicious code within PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=watch+so+not+worth+it+online+free PDF link annotation
    • http://exmar.it/foto_fck/file/8061426889.pdfIn PDF document text
    • http://fruhmann-elektrotechnik.at/vakakebodunekulakege.pdfIn PDF document text
    • https://shatalarab-llc.net/userfiles/files/gidaxit.pdfIn PDF document text
    • http://www.portofmiamitunnel.com/system/js/back/ckfinder/userfiles/files/zinetevuzabipa.pdfIn PDF document text
    • http://vasset.bg/userfiles/file/26713348381.pdfIn PDF document text
    • http://bjjiffy.com/upload/29827781867.pdfIn PDF document text
    • http://www.juniorcollege.cl/ckfinder/userfiles/files/13385229445.pdfIn PDF document text
    • https://getracemirates.com/userfiles/files/fibugafatamapofesasapa.pdfIn PDF document text
    • https://korvioinfotech.com/ckfinder/userfiles/files/79730844857.pdfIn PDF document text
    • http://apismorava.eu/docs/10031357592.pdfIn PDF document text
    • http://www.scenekunstskolen-efteruddannelsen.dk/ckfinder/userfiles/files/fedodaxewaj.pdfIn PDF document text
    • https://kp-bs.ru/upload/files/36271993091.pdfIn PDF document text
    • http://jumpinfit.it/userfiles/files/burubiwidunufusija.pdfIn PDF document text
    • http://eskuvoiiranytu.hu/blog/file/84990228040.pdfIn PDF document text
    • http://boldino-hotel.com/ckfinder/userfiles/files/72131294466.pdfIn PDF document text
    • http://kazuma.ru/ckfinder/userfiles/files/xejekawop.pdfIn PDF document text
    • http://hk-bbc.com/upload/file/rejex.pdfIn PDF document text
    • http://atek-ent.com/upload/file/97144793475.pdfIn PDF document text
    • http://xindeshiye.com/uploadfile/file///2021090921234893.pdfIn PDF document text
    • http://www.eau-msu.ru/ckfinder/userfiles/files/73598928567.pdfIn PDF document text
    • https://rrvchefs.com/wp-content/plugins/super-forms/uploads/php/files/a80da8c174dc77ceea223c8679e2a1db/lawijevupoxefobibo.pdfIn PDF document text
    • http://keyflounge.nl/userfiles/file/74921650071.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE47 10512 bytes
SHA-256: a4533dcabcb50cab4f1a4c7a77cfe0caf99915ca73e4c676eb8be3d6ff9ce717
font_01_sfnt_off0001063b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1063B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011e4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E4D 18716 bytes
SHA-256: 5a74c8bae637e6892b31c732f812ee2f0329931daff680e1650900b8d97aeeef