Malicious PDF — malware analysis report

Static analysis result for SHA-256 197ffdd0365271d6…

MALICIOUS

PDF

80.8 KB Created: 2021-03-09 04:58:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 10e5194905a18c6f84d420c122f688bd SHA-1: bc556c2ca75c95578e2afecad9b9a9bcbad64a1e SHA-256: 197ffdd0365271d6aa2d66c61c23791944404572ec55e692cabb212bf82293e6
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing campaign. The primary URL, 'https://xezojetit.ru/123?utm_term=how+to+fix+water+damaged+sheetrock+ceiling', is presented as a guide but likely leads to malicious content. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=how+to+fix+water+damaged+sheetrock+ceiling PDF link annotation
    • https://velonifiwivuli.weebly.com/uploads/1/3/0/7/130739758/6655383.pdfIn PDF document text
    • https://dodarumobite.weebly.com/uploads/1/3/1/4/131437296/4daa7f8cdfb0ed5.pdfIn PDF document text
    • https://fapudunaga.weebly.com/uploads/1/3/0/7/130776769/tewifoderomapapawini.pdfIn PDF document text
    • http://drive4mclaneeffingham.com/brother_mfc_j615w_printer1bmic.pdfIn PDF document text
    • http://womafogexuko.iblogger.org/technical_drawing_with_engineering_graphics_15th_edition.pdfIn PDF document text
    • http://trokot-newshop.online/7656641726ktd88.pdfIn PDF document text
    • http://fakts.design/zonevibataxomitevosatopihtmry.pdfIn PDF document text
    • https://likizosuzi.weebly.com/uploads/1/3/4/8/134886942/5759884.pdfIn PDF document text
    • https://regifedemez.weebly.com/uploads/1/3/1/4/131406591/wajafuwudo_labewizi.pdfIn PDF document text
    • http://1xbets-reg.site/4915944625sf493.pdfIn PDF document text
    • http://mangalvpodarok.ru/jifotuvezurusotukukajolmrrb0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://83372c7a-1065-4b07-8284-b64562b46e84.filesusr.com/ugd/035489_5435664bd72e49abaa47578f8ff9b69c.pdf?index=trueIn PDF document text
    • https://a4edf7fa-b057-49b5-8014-e5fd436fbef3.filesusr.com/ugd/c8b2c5_c3ed743e0b56448c90bf18463869ad5d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f813c32-f2bd-46b7-8708-0dedeb334ab4/87436387218.pdfIn PDF document text
    • https://00c0516a-c822-4344-a779-6f74e039753d.filesusr.com/ugd/9e41f0_1c89ede9d162454784c8e365454cb804.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2cbc41f-f040-42d5-b32c-42a1cae7c07b/agatha_christies_poirot_season_13_episode_3_cast.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17a3f48b-217d-4a8d-959b-5128ec04c179/4017093621.pdfIn PDF document text
    • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_d8353e3316ee44b58158b909472f2501.pdf?index=trueIn PDF document text
    • https://4be8a7ba-6c9a-47a4-99fc-a5961b41a404.filesusr.com/ugd/132250_3767b4f65a094c1da2d41c9c7aa24585.pdf?index=trueIn PDF document text
    • https://35b1a599-9f45-4897-82ce-59a931fc5495.filesusr.com/ugd/daca0d_3e3fc31d61be43f5a1115c7abbf85a91.pdf?index=trueIn PDF document text
    • https://5902ff30-e651-486c-ac37-3e8383bfa78f.filesusr.com/ugd/f35da0_dfd78c35669846caafdf4631f293bddc.pdf?index=trueIn PDF document text
    • http://nufejubonuviwo.epizy.com/24775828879.pdfIn PDF document text
    • https://a26b494c-4f54-4b9d-aaa3-e02d462d315a.filesusr.com/ugd/c6268f_273b8f325dfb49ebb8b34df61f2d3079.pdf?index=trueIn PDF document text
    • http://xavobuwog.epizy.com/46214490967.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fca0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA0 5620 bytes
SHA-256: 69abd2d232d9ed14c7969b906bd369a52cd551efd6a6fc69907cc44358607f58
font_01_sfnt_off00010fac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10FAC 10992 bytes
SHA-256: 6afdaff1b5fd7a7a3bedc32d2fd403db79e5fdf4efe56058b5cb220304391c7f