Malicious PDF — malware analysis report

Static analysis result for SHA-256 2291889e7c5b735c…

MALICIOUS

PDF

81.9 KB Created: 2021-03-22 04:21:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 656aeb7cf9ef5399074cafbea07f1cdd SHA-1: 775bcf640ce057e38ba45066fae39521708745d2 SHA-256: 2291889e7c5b735ce13c2f65070003ee762758dcd4ae495a1e78e790f557f11f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a link farm designed to redirect users to various external sites, masquerading as a guide to download free software. The heuristic firings indicate a high volume of external links, many on disposable hosting, and a specific ClamAV detection for Pdf.Phishing.Trojan. No scripts were extracted, but the overall structure and URL patterns suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=how+to+download+final+cut+pro+for+free+2019
    • https://cdn-cms.f-static.net/uploads/4390097/normal_601fd4fbdc66c.pdf
    • https://jagefefax.weebly.com/uploads/1/3/4/2/134235663/perotoladotisu.pdf
    • http://keksik24.ru/mercer_quality_of_living_survey_2019_indiaxamoq.pdf
    • http://cartest.pro/663959057452ppyd.pdf
    • https://bogogumufen.weebly.com/uploads/1/3/4/0/134018830/2ff95da1.pdf
    • https://static.s123-cdn-static.com/uploads/4383804/normal_5fed50bb10ee5.pdf
    • https://kiseridebajesa.weebly.com/uploads/1/3/1/4/131408791/xegedekukubebeb-filibilo.pdf
    • https://wubawujol.weebly.com/uploads/1/3/4/2/134266052/texifegidupixejap.pdf
    • https://cdn-cms.f-static.net/uploads/4490746/normal_6057c9683ee36.pdf
    • https://xufolonul.weebly.com/uploads/1/3/2/6/132695880/343c5.pdf
    • https://pegebitejujag.weebly.com/uploads/1/3/4/4/134445458/vabirivivu.pdf
    • https://cdn-cms.f-static.net/uploads/4383577/normal_600bc3c2b863b.pdf
    • http://vipadminler.org/fiwuporowaxomignx28z.pdf
    • http://vbnmcxz.xyz/is_eating_gluten_free_good_for_weight_loss0y7ji.pdf
    • http://lofitner.buzz/lojusokavoxujogebikivwbdc.pdf
    • https://galixasuja.weebly.com/uploads/1/3/4/5/134518214/vujivezejiru.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e46eb8ae-11b5-47af-91b5-79e2db369635.filesusr.com/ugd/f84671_66e6e14fb9ae49af9365d3e904ecc582.pdf?index=true
    • https://s3.amazonaws.com/gawabog/musalamufunoridug.pdf
    • https://104e3d6a-8609-4a5f-ba89-88df40aeb326.filesusr.com/ugd/3cb22f_2047013597ab4bf48821cec74b8dc9a3.pdf?index=true
    • https://d128792e-e0a8-46e0-98ed-b941f5da69b2.filesusr.com/ugd/b98abb_2f577a562a5d41b89735c8b23b4e7d85.pdf?index=true
    • https://s3.amazonaws.com/mavixu/pabitapixeno.pdf
    • https://s3.amazonaws.com/zuwosil/free_books_of_watchman_nee.pdf
    • https://s3.amazonaws.com/gateme/john_deere_310d_backhoe_fuel_pump.pdf
    • https://584dc5e1-4449-4bca-b3d9-d0e1fa08a972.filesusr.com/ugd/185caa_541f088d6f9b4039b199e6a398eda529.pdf?index=true
    • https://s3.amazonaws.com/vizegemawokaxe/65379973997.pdf
    • https://0eaabcdb-938a-45a6-85a3-1a7d796bbcdd.filesusr.com/ugd/8d6d25_209a7ac3806e49939357f695446a6101.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001004a.bin
d74bb4496fca96fa75cf76ff393b1fe757f5aaf2c90baebe8cb9240d14d5e197		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1004A 5508 bytes
font_01_sfnt_off00011335.bin
9cc50f99eeb1f8be1f4a164267e16f663b42ad9b93e98536bfd3c303d32adb00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11335 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.