Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c37771893af78f8…

MALICIOUS

PDF

76.5 KB Created: 2021-06-11 18:40:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 53634eab0d56f912032d200a0451e044 SHA-1: aa8e123488ef5b31cbb5703217a6fa4724c4b613 SHA-256: 2c37771893af78f8a7996e493fea9ebb130ecd68d20b2486d793526269f08e04
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The primary lure appears to be 'Best free barcode scanner app', which is likely a pretext to drive traffic to these external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/pbw?utm_term=best+free+barcode+scanner+app PDF link annotation
    • https://depujoseteg.weebly.com/uploads/1/3/5/3/135309287/3479e3662.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393624/normal_60bfdd357ac0c.pdfIn PDF document text
    • https://nafuvazufu.weebly.com/uploads/1/3/1/4/131407552/sugijarugazun.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4408464/normal_60b46a7ca7d94.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473651/normal_6059793b2d7b7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484807/normal_5fd9d79fb2ae0.pdfIn PDF document text
    • https://wofigazidiw.weebly.com/uploads/1/3/1/4/131437722/fikotumazal-vasigev-kovim-wukejoxegufen.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459776/normal_5fe241ead8abe.pdfIn PDF document text
    • https://zisawotagaxikad.weebly.com/uploads/1/3/4/4/134478332/1728690.pdfIn PDF document text
    • https://mokapojigum.weebly.com/uploads/1/3/4/6/134690111/dukin-rukabodatajuvo-pesuzu-jelugudizuxako.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410985/normal_600be66a4512e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426062/normal_6019f5ef837b5.pdfIn PDF document text
    • https://voderixata.weebly.com/uploads/1/3/4/2/134266977/9651440.pdfIn PDF document text
    • https://nujatorub.weebly.com/uploads/1/3/1/8/131858108/tupojipamiwavexufe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403274/normal_60bfbb7553e6d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4371788/normal_5ff183e555cba.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/da4724af-632b-4b21-a5f5-5c9ab85fa150/83410387087.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66c422bf-534e-465c-bc41-c863bd397f5a/how_to_factory_reset_alesis_dm10.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf100b47-7faf-42d7-9314-712cf447b310/what_meat_is_good_to_cook_in_air_fryer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fc02e98-7c79-46d4-85ed-528d2976261f/the_book_law_definition_of_indictment.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED96 5308 bytes
SHA-256: 4aa9b1d561318ac9d98171d2a2093cd4f09a65a2aa1e8b22645ead0b9f1510b8
font_01_sfnt_off0000ffae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFAE 10824 bytes
SHA-256: 29f3dde39f2361bf207785add2b8fd6907945bc20d41a979e49233bd7e312986