Malicious PDF — malware analysis report

Static analysis result for SHA-256 187ad3301b22a2fc…

MALICIOUS

PDF

97.0 KB Created: 2021-05-24 02:22:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: ee87cc2db69a8ddc63e0c2af52acca0f SHA-1: 28045da60a0cc00bef8074279b6fd72c8e772888 SHA-256: 187ad3301b22a2fc1bc52bbddd56ff98e6409d8082ba9d7e3c354dad8363f0ed
136 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a phishing lure, specifically using an SEO redirector for free downloads. The embedded URL, https://dugedepap.ru/strik?utm_term=los+voceros+de+cristo+feliz+cumplea%25C3%25B1os+mp3+descargar, is the primary indicator of malicious activity. ClamAV also detected this file as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=los+voceros+de+cristo+feliz+cumplea%25C3%25B1os+mp3+descargar PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366022/normal_606214b30539e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367632/normal_6052d80b676c4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381085/normal_605279c8eef3c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4470385/normal_5fffc71b6fe30.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4477916/normal_5fcaeec0a1430.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4406787/normal_5fe2b33a7f4cc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4468820/normal_5ff11dd05007c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/dixaleko/bathroom_pass_sign_out_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/zisulamisozoto/bootstrap_templates_for_news_site.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1310c78-28a8-46ad-adfe-d029eab86127/is_twilight_a_good_book_for_12_year_olds.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d30fbdbb-aacd-44a5-bccc-55c7edcb76f3/why_is_my_bosch_oven_not_heating_up.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d677f55-5b83-457a-abe0-7e5081cdf0c4/purotexej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da3ea0e5-69e1-4d5c-80ec-75006b5b6e09/7566321381.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b871df8-d4d0-493e-8374-06b8fcbce180/32252924688.pdfIn PDF document text
    • https://s3.amazonaws.com/murudute/cardiology_study_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/loxopudizus/segifefixoguxi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/86d2a759-2f9f-44bf-b8a3-150b1fa28b39/wildgame_innovations_sd_card_reader_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab2e9983-d3d5-48c6-8fb7-c82505011597/behaviour_support_plan_example_childcare.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1240268f-91ed-4351-a5f4-7d6c5f67d575/27179103772.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82b85d1c-b239-46fe-b401-f658298f9bb6/flight_of_the_bumblebee_sheet_music_trumpet.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f83f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF83F 6440 bytes
SHA-256: a606a6dede3b99472d2ac97761204782646b5f75106b48d1abccbe9a99ca9a4c
font_01_sfnt_off00010833.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10833 5680 bytes
SHA-256: 3f063f82fd8e109cd626c0f82dfc507c0e6b0732fdeeec1aed50ca629f373759
font_02_sfnt_off00011b6a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B6A 2316 bytes
SHA-256: 0862e89ad58e7f1a0d018bdde91276dde0c1499341f426941c024f45bfc883b1
font_03_sfnt_off0001255a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1255A 12400 bytes
SHA-256: 03d8cb163f554654318e725bde58905abab551d74168c1e9e089c8d00fdaf493
font_04_sfnt_off00014d82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14D82 16944 bytes
SHA-256: c556cf89f9aa0da03bf2103f8662d8ffc1b6c84104292b2792833e11fb7b756c
font_05_sfnt_off00016456.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16456 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333

Open this report in the interactive analyzer, or submit your own file for analysis.