Malicious PDF — malware analysis report

Static analysis result for SHA-256 2287a3e9517e60f4…

MALICIOUS

PDF

74.4 KB Created: 2021-03-23 07:59:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 1feb6ba7de04dba9bbda7c2fba68eefe SHA-1: 68d386a7de1a9c9a7be526481fb2504109935dbf SHA-256: 2287a3e9517e60f41f6d8ce18648a66964497e92598ff159ed18c56e5477042d
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was identified as malicious by ClamAV and an ML classifier, and it contains a large number of external links. Several of these links point to disposable hosting or domains with unknown reputations, suggesting a link farm or distribution mechanism. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which could be part of an SEO manipulation scheme or a lure for malicious downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/123?utm_term=acc+aha+atrial+fibrillation+guidelines+2017 PDF link annotation
    • http://trend-sales.fun/holy_quran_in_english_and_arabiclfyvv.pdfIn PDF document text
    • http://silvanozito.online/xuxepu6rptz.pdfIn PDF document text
    • http://tadidavazutopa.sportsontheweb.net/59751068520.pdfIn PDF document text
    • http://vazewuxu.mywebcommunity.org/how_to_charge_my_ps_vita_without_the_charger.pdfIn PDF document text
    • http://kvrovk.xyz/kenmore_washing_machine_repair_near_meii4jr.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://b2fc43c4-60ab-4dc1-a1c8-84833fda4e2a.filesusr.com/ugd/37321e_31cabedf20b04e61afcf06bfacaf50b7.pdf?index=trueIn PDF document text
    • https://855e1e5b-0daf-4dce-aa73-dfad2bfec5df.filesusr.com/ugd/ced2dc_d0cd63fc5ea54bd4b7984f345cc34e93.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f67952c-0fd1-4579-8c18-0a1b99ea5837/vitamix_strawberry_banana_ice_cream_recipes.pdfIn PDF document text
    • http://bidusibebawuz.onlinewebshop.net/51648020505.pdfIn PDF document text
    • https://s3.amazonaws.com/lazolu/kesafetagixunirolakix.pdfIn PDF document text
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_c34e5a8fbe0e4969a1e3e4b3b2db5bfe.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nonipesikiri/heart_of_darkness_quotations_explained.pdfIn PDF document text
    • https://591379ed-26d0-4405-baa7-5b8dadede013.filesusr.com/ugd/866ffa_a54565ab4b104990b228b31bd0b222bb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/kiwopusafize/adenitis_cervical_en_pediatria.pdfIn PDF document text
    • https://bdc3fad0-85dd-4e34-85f7-620d54d4ff6f.filesusr.com/ugd/10cedf_14666ca8e56d42a7bbe3e07d48fb2d37.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3A2 5820 bytes
SHA-256: a98e7d04a21ad3875e7a370c92bec9712916f514a8ae90880aca3e6d342c87ae
font_01_sfnt_off0000f779.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF779 11064 bytes
SHA-256: 0768082cdbe9ecd24bdb935daf377ce04c091bfb40e2555ac66f539b89aa0aac