Malicious PDF — malware analysis report

Static analysis result for SHA-256 194794134754135a…

MALICIOUS

PDF

85.9 KB Created: 2021-04-24 07:56:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: c3f59565f6a9e318ce1feaf17a0cc3dc SHA-1: 45bc1edde2f59ddffb86cae8bd0d059f721d5f5d SHA-256: 194794134754135a563d4d4fff9940a7fb3ea5d91a4106e8ed78c49e58551eb7
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many pointing to disposable domains and employing UTM parameters, suggesting a link farm or phishing lure. The presence of external URIs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic indicate an attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=timex+t231g+am%252Ffm+dual+alarm+clock+radio PDF link annotation
    • http://sipataj.sportsontheweb.net/163151602.pdfIn PDF document text
    • http://fafijitesulexiz.mygamesonline.org/vipuremotilaxe.pdfIn PDF document text
    • https://cdn.sqhk.co/fujonexa/dEjbW6P/xosexujavimoxabo.pdfIn PDF document text
    • http://jaxagogilexet.sportsontheweb.net/canara_bank_account_transfer_form.pdfIn PDF document text
    • http://1fps.ru/190606970051ax7e.pdfIn PDF document text
    • https://cdn.sqhk.co/venitalobeni/chirigR/hungry_shark_evolution_mod_menu_download.pdfIn PDF document text
    • http://good-production18.site/sunbeam_oskar_food_processor_14181_manualxpjc3.pdfIn PDF document text
    • http://idclick.cash/41355781087nhuf4.pdfIn PDF document text
    • https://cdn.sqhk.co/sadetujadufi/W1haGqT/751926804.pdfIn PDF document text
    • https://cdn.sqhk.co/nakunadubux/5jehjhb/sandwich_shops_in_dallas_oregon.pdfIn PDF document text
    • http://dapurixid.sportsontheweb.net/joxes.pdfIn PDF document text
    • http://naturmilans.fun/12832578826wkvyp.pdfIn PDF document text
    • https://cdn.sqhk.co/ditetona/9hjejfR/king_s_college_london_business_analytics.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tevigotu/chipmunks_songs_sinhala.pdfIn PDF document text
    • https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_06fb696e33e84672ba3ec429e9afdfc1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/887c38c2-6e9b-4395-a8f0-a665bbec96ef/34014527400.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77137258-b918-4ddf-a0d1-0a4d6a69ea14/ropijaxetubofabepuxezivun.pdfIn PDF document text
    • https://76a725e8-946c-4ae9-9249-cda469d35108.filesusr.com/ugd/83c8cc_e7e9ca4cac994ed29913b933f2f06103.pdf?index=trueIn PDF document text
    • http://bexukavibume.myartsonline.com/70015507144.pdfIn PDF document text
    • https://9dd02728-8b0e-4c16-8a5b-31b14a6ec887.filesusr.com/ugd/d8c3ed_dc6936675ea04dd8a774aaa98bd7424b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ca41d0f-4e5d-4773-9982-50bff30ea7ec/87904799611.pdfIn PDF document text
    • https://7f06b679-e14d-4525-8955-d56a7cf6f710.filesusr.com/ugd/79e5df_8c6177052e6440f6bf03a930e164dcd7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7aab49fe-28b9-490b-9e2d-91323454ad77/how_much_score_for_gre.pdfIn PDF document text
    • https://s3.amazonaws.com/remeranexe/muxegibukag.pdfIn PDF document text
    • https://s3.amazonaws.com/jefobexapulow/balosibadujosetuvi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f99d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF99D 5628 bytes
SHA-256: cefbc3433643ac031cbabe00989862a24fe082a7f3b35636dfdb24645d87c63c
font_01_sfnt_off00010cce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CCE 11308 bytes
SHA-256: b5e412941a39e21ea2e28fe81025e0eda1318f2731da6b3b791cf8d603d0d280
font_02_sfnt_off000133a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x133A2 16228 bytes
SHA-256: 91a11e41b4092e9400394539ee62b63524bf83af8547c09cbbbc51a7244bbaf0