PDF malware analysis — malicious · 2cb1f9d2b2344bd2

MALICIOUS

PDF

71.6 KB Created: 2021-02-28 23:12:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-04-25

MD5: 34a406174094dd05c71578eb262328ba SHA-1: 264c1d9c62e133a3c826014713db4da6d0ee0aa5 SHA-256: 2cb1f9d2b2344bd27c0d988875cdf9e15fc3e99b32e06de4c4a4f329b90bd507

326 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 10

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dugedepap.ru/award?keyword=windows+powershell+command+history+file PDF link annotation
- https://dazuzidasepod.weebly.com/uploads/1/3/2/6/132681566/7305988.pdfIn PDF document text
- http://evakuator-uga.ru/58048087289mwt5r.pdfIn macro / runtime command snippet
- http://twenty-promo2020.ru/12647399539em276.pdfIn macro / runtime command snippet
- https://cdn.sqhk.co/norumuwapa/SI4ijDX/dosabitivarorasa.pdfIn PDF document text
- https://fasukawoj.weebly.com/uploads/1/3/1/4/131453618/af182e.pdfIn PDF document text
- http://fortysgjdk.fun/line_6_pod_pro_manualdtff6.pdfIn PDF document text
- https://cdn.sqhk.co/xexanodu/ffCohc4/72526280824.pdfIn PDF document text
- https://weritesi.weebly.com/uploads/1/3/5/3/135314652/2131001.pdfIn PDF document text
- https://kinijanara.weebly.com/uploads/1/3/4/5/134585029/pijut.pdfIn PDF document text
- http://byt-upak.ru/wemaper1iv5.pdfIn PDF document text
- https://cdn.sqhk.co/ketixudolu/9GijJG6/49696963554.pdfIn PDF document text
- https://nolizusumebixaz.weebly.com/uploads/1/3/1/4/131438071/ecf1b07d70e8f.pdfIn PDF document text
- https://wuzesitawe.weebly.com/uploads/1/3/4/7/134733123/pegedidojadu_zajomid_xiditonupexu.pdfIn PDF document text
- https://dazuzidasepod.weeblyIn macro / runtime command snippet
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://pewizofiwerobep.rf.gd/cara_buat_survey_guna_google_form.pdfIn PDF document text
- http://wekujugom.epizy.com/whatsapp_for_android_2._3_3.pdfIn PDF document text
- http://jolavewavesuj.epizy.com/38899693837.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_00011921.bin`	pdf-embedded-script	PDF raw stream script payload at offset 0x11921	1616 bytes
SHA-256: `b718541106a179bbf1afe8ab987d0d84571628384d8959433487dce2dc2ea31f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script <?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?> <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Karbon'> <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'> <rdf:Description rdf:about='' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'> <dc:creator> <rdf:Seq> <rdf:li>Fomipuwo Gufaleyi</rdf:li> </rdf:Seq> </dc:creator> <dc:description> <rdf:Alt> <rdf:li xml:lang='x-default'>Windows powershell command history file. By default, Windows PowerShell (as well as a team query) only saves the history of the commands you'</rdf:li> </rdf:Alt> </dc:description> <dc:subject> <rdf:Bag> <rdf:li>Windows powershell command history file. By default, Windows PowerShell (as well as a team query) only saves the history of the commands you'</rdf:li> </rdf:Bag> </dc:subject> <dc:title> <rdf:Alt> <rdf:li xml:lang='x-default'>Windows powershell command history file</rdf:li> </rdf:Alt> </dc:title> </rdf:Description> <rdf:Description rdf:about='' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Karbon'/> <rdf:Description rdf:about='' xmlns:xmp='http://ns.adobe.com/xap/1.0/' xmp:CreateDate='2020-06-04T06:55:43' xmp:CreatorTool='Karbon'/> <rdf:Description rdf:about='' xmlns:xmpMM='http://ns.adobe.com/xap/1.0/mm/' xmpMM:DocumentID='d2856491-7625-42e4-ac26-ae30c963ff18' xmpMM:InstanceID='dd0f053e-a500-4d9e-8ba5-3579ab78124f'/> <rdf:Description rdf:about='' xmlns:xmpRights='http://ns.adobe.com/xap/1.0/rights/' xmpRights:Marked='True'/> </rdf:RDF> </x:xmpmeta> <?xpacket end='w'?>
`font_00_sfnt_off0000d97b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD97B	5604 bytes
SHA-256: `89c50293ffd610e7eee5a0d71d0054b7760222224fa30e188a00a9cccf7df58a`
`font_01_sfnt_off0000ec7c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC7C	10856 bytes
SHA-256: `dcc5c3bfb1fd11d94a44922fa9757df04974b874256b44e40274f93380c46851`

Open this report in the interactive analyzer, or submit your own file for analysis.