Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e216cfd09f701d1…

MALICIOUS

PDF

77.8 KB Created: 2021-05-03 16:55:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: b1877f63925fee83667b920657ec4ef7 SHA-1: 78f094578288a406513eb15dd0d94d689f88de0b SHA-256: 2e216cfd09f701d12f21243a28b155844b358adaa3080449a17177904785e614
324 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier. It functions as a link farm, directing users to various potentially malicious URLs, including one that appears to be a redirector for software downloads. The document also contains instructions to disable security software, a common tactic to facilitate further malicious activity. The presence of numerous links on disposable hosting and the redirection URL suggest an attempt to distribute malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=oracle+database+12.1.0.2+download+for+linux+64+bit In PDF document text
    • http://sinakarazeg.22web.org/gojisekujuzepiminegemofi.pdfIn PDF document text
    • http://bilapak.66ghz.com/blank_monthly_calendar_template_august_2019.pdfIn PDF document text
    • http://erogancolumbia.site/logenotesegexum8bdyl.pdfIn PDF document text
    • http://tehnopolis.org/nifatowojapo1b9.pdfIn PDF document text
    • http://dujufevotudamo.iblogger.org/60597931451.pdfIn PDF document text
    • http://rajulosukoxejof.22web.org/linksys_ac1200_price_in_bangladesh.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_07856c41f21e43bfae5a8e7aa36636a4.pdf?index=trueIn PDF document text
    • http://familule.epizy.com/13778721497.pdfIn PDF document text
    • http://vevosewis.rf.gd/automobile_engineering_local_author_book_download.pdfIn PDF document text
    • https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_9e8f677f657948ba9569c84870b5e171.pdf?index=trueIn PDF document text
    • https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_98c3217e074e44e8a66aa13db887b294.pdf?index=trueIn PDF document text
    • https://a80c0318-1640-4d50-a016-df037fc402b9.filesusr.com/ugd/895bef_5577804394834bcf99ac8ad472323705.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1016b2c5-a370-4a09-87aa-26f61ad4a35a/mutujonujuvelamatuzure.pdfIn PDF document text
    • http://nazonuretowu.epizy.com/anthropological_theories_upsc.pdfIn PDF document text
    • https://46a1ac71-481d-4a85-b709-d40f3a189542.filesusr.com/ugd/143c98_cace48b3ceb1433ca7ee173b17f4667a.pdf?index=trueIn PDF document text
    • http://nuziwaji.epizy.com/mekativesajiwofale.pdfIn PDF document text
    • https://18282f24-d4e3-4c19-b4d9-8e3fdaa82145.filesusr.com/ugd/df2b7b_d37c269b52e54dd69a15747f9ec28908.pdf?index=trueIn PDF document text
    • https://07bd7893-a6ec-44d5-90fe-c719e602c0bd.filesusr.com/ugd/aafaff_19f24215221646a48f60851d0fe943ff.pdf?index=trueIn PDF document text
    • http://digufelusa.rf.gd/kovud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/253229f5-8eab-4c35-86b4-cdee55aaf977/graco_swing_glider_parts.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dea2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEA2 5824 bytes
SHA-256: e869867066052080f153c8de360abae47e5ea43d4b858de914199eadc62cf36d
font_01_sfnt_off0000f29d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF29D 11972 bytes
SHA-256: 5e9a6af7c5806639a740c1e45ad97e07183aaf45eedf8bfdac96059889880568
font_02_sfnt_off00011afa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AFA 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34