Malicious PDF — malware analysis report

Static analysis result for SHA-256 216b6606a55a04c4…

MALICIOUS

PDF

79.8 KB Created: 2021-04-18 03:57:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 4977facb4186f64924282b66adb476ec SHA-1: 2d8ea79224a65ae123e6ef2f5af3b0a503a17aba SHA-256: 216b6606a55a04c44021b14e142e1157250ac5c790633f6db6918eadf563e579
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous external links to other PDFs hosted on various domains, some of which are disposable. The primary URL, 'https://golowaki.ru/strik?utm_term=the+company+of+wolves+angela+carter+summary', suggests a potential SEO manipulation or content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=the+company+of+wolves+angela+carter+summary PDF link annotation
    • https://cdn.sqhk.co/tivinarafuvu/yhguXM1/mars_retrograde_2020_vedic_astrology.pdfIn PDF document text
    • https://posuzelivoj.weebly.com/uploads/1/3/4/8/134869480/jipuperutovozire.pdfIn PDF document text
    • https://cdn.sqhk.co/kewudomavave/ge2rjhL/grow_empire_rome_cheats_2018_ios.pdfIn PDF document text
    • https://fumadutukit.weebly.com/uploads/1/3/1/4/131437402/kifodonod.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455657/normal_60302838a1d64.pdfIn PDF document text
    • https://cdn.sqhk.co/gibiganegaz/dhfihhj/fusewezisoziguvom.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411252/normal_6061297f55109.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404975/normal_60397ea6968e4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/eadc8ab8-a5e6-42ca-a73a-2500dca6d7e5/tipekaxifegeg.pdfIn PDF document text
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_3c2d56ba319247a1ac196c2e68cc2d74.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2a976dd-6e84-4264-b440-b2df229e13c5/40296193499.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3fa0e80f-61b0-4d67-b21d-615c89142340/8284854278.pdfIn PDF document text
    • https://abbf68a8-5b21-4996-91be-11266bd273ed.filesusr.com/ugd/9374a7_86a7c9d817ec46068120fbb34c21077e.pdf?index=trueIn PDF document text
    • https://1cf095b7-1d29-4152-b82c-7733cf7ba0c7.filesusr.com/ugd/c1de29_bc0933466d5342e5ac51e0d677060b71.pdf?index=trueIn PDF document text
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_6044f106bb15460d9a438f1dfb3c84ea.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/400bf3ba-17ab-4880-bb7b-1e38fd193edd/rutev.pdfIn PDF document text
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_9c8886a008ba42be96c7fcc8e88ca781.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA8C 5632 bytes
SHA-256: fc73207fe865289e545a9287a7304028c9b0ccfa03987cbddd2110994bddf586
font_01_sfnt_off00010db1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB1 10608 bytes
SHA-256: 37d68207d0c37f796f60adaa35cc5e4a0c99b35a9cd27f7cf5866f6ed28386c8