Malicious PDF — malware analysis report

Static analysis result for SHA-256 2211449436920d21…

MALICIOUS

PDF

70.2 KB Created: 2021-05-09 07:13:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: dd54b6fac8a4ba05e779136428257243 SHA-1: 59caa70de34a3b05fc20a1fc1d0f38fc48835d94 SHA-256: 2211449436920d215d1a51d7e77fa87b04a06ba493c03712b640d116193948c0
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=stealth+cam+fusion+verizon+reviews PDF link annotation
    • http://blankid.ru/vejoforaxisipuza0fqrr.pdfIn PDF document text
    • http://geosen.net/beriwalufomitefiypw66.pdfIn PDF document text
    • http://sebaxupakokak.22web.org/chuyn_t_file_nh_sang.pdfIn PDF document text
    • http://mefuxorimuba.22web.org/sumeka.pdfIn PDF document text
    • http://ledimpress.biz/8926529214qv7wq.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4470981/normal_5ffe27a3d7139.pdfIn PDF document text
    • http://kigimol.iblogger.org/panasonic_viera_tc_p50x3_50_plasma_tv_manual.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375699/normal_6041e3065c47f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387430/normal_605c365645fb8.pdfIn PDF document text
    • http://wiinorama.fun/pericarditis_treatment_guidelines_esczu05n.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc39c4e5-df2a-49a7-a07a-ecbb1fccd158/97346038850.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/90624077-497c-4b33-9be9-7d343de46bdf/how_to_find_manufacture_date_from_serial_number_frigidaire.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f1eedf4-cdaa-4555-918c-4dda1defb3be/gusabijorixovuxunemab.pdfIn PDF document text
    • http://furivel.rf.gd/skin_care_website_templates.pdfIn PDF document text
    • http://lumaxixi.epizy.com/barnburgh_school_uniform.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a80578f-afda-4698-99ec-4ddedefeec07/we_like_to_draw_in_spanish.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4b16aeed-7f05-4db0-a47c-cf0dd13b8de6/29922310727.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fe5da6d5-2014-4ef1-bcc4-e62252d4102c/brinkmann_grill_parts_drip_pan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fe30967-409e-4187-825a-fe93b9d5e5f1/ingredients_in_dunkin_donuts_iced_matcha_latte.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47bf8ffa-e75e-480c-a871-7de1477013dd/86468888271.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7861cfc2-8546-4a8d-a542-3c7eecdc1f45/19881772765.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88acae41-d2a8-44b2-bf79-06c09c9df03c/lisewevekepasa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41c9a899-b329-4504-8fcb-1f7da1b490d6/fexotejajiwivo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d253.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD253 5424 bytes
SHA-256: 4292080441a0d4d2f7d61b27e36a97cc4fd99cdc6c9b271941a02dd26a674631
font_01_sfnt_off0000e4bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4BD 11628 bytes
SHA-256: f6a3c02d5040af29c3d41dcf82919b45dbab17f64127c11a73651806b7f37ab3