Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f60d158be4d41ea…

MALICIOUS

PDF

88.0 KB Created: 2021-05-20 06:35:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 57cd91c9729949bc32a74bef27092e8a SHA-1: cc9e40b614abef995f6eada9d0f3e864a3293fd3 SHA-256: 2f60d158be4d41ea0c7d604d636a08b82e1e979df59b11174785cacf85aace4e
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable hosting and utilizing UTM parameters, indicative of a link farm designed to redirect users. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and ML classifier flagging further supports a malicious intent. While no scripts were directly extracted, the heuristic firings suggest the document's primary function is to lure users to external sites, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=talking+tom+cat+2+mod+apk+%2528unlimited+money%2529 PDF link annotation
    • https://vakugisup.weebly.com/uploads/1/3/0/7/130739558/jijekufagobokive.pdfIn PDF document text
    • https://wafodalepida.weebly.com/uploads/1/3/1/8/131871454/zetaxuboxelo-vofomalu.pdfIn PDF document text
    • https://xexibufit.weebly.com/uploads/1/3/0/7/130739933/3091d.pdfIn PDF document text
    • https://daxigowopijadek.weebly.com/uploads/1/3/0/8/130814785/4501406.pdfIn PDF document text
    • https://punopisa.weebly.com/uploads/1/3/7/5/137516802/magusamipev_xedupokikufa.pdfIn PDF document text
    • https://lareduna.weebly.com/uploads/1/3/1/4/131453109/madewazupopopa.pdfIn PDF document text
    • https://nepokotivo.weebly.com/uploads/1/3/2/8/132814168/1164401.pdfIn PDF document text
    • https://fexiganariv.weebly.com/uploads/1/3/0/7/130739648/2b63b855.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b398875e-8962-4108-9374-d6904d512955/homelite_super_xl_chainsaw_repair_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/werowibovezoje/seliga.pdfIn PDF document text
    • https://s3.amazonaws.com/minaxigevani/76042081980.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/643d6195-a6ee-4405-87d2-0e7f9a4d3a3e/sogekidide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/721edd58-719d-4bca-8093-d8ca99197654/xavevitomeg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/854f2190-0a77-42de-9bc2-bd4918058767/somarifovajigapapobipe.pdfIn PDF document text
    • https://s3.amazonaws.com/vukumesoj/jaspersoft_studio_subreport.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51d0684f-4529-4dbf-9e21-f48c0fe481db/embedded_relative_clause_ks2_worksheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1202aa92-b05f-4d9c-bfe7-1ae2d57b97a3/best_life_inspiring_books_to_read.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de9da56b-2914-4331-aae0-4b694f6985c4/linksys_wrt_ac1200_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/tesapibebujep/bapewoxunozokediwuxe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9febb9b0-0960-4552-9cc4-5d90afeeb656/how_often_should_i_change_my_transmission_fluid_honda_crv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e03b6cf6-192e-4e9a-8097-c5a78e159be1/what_happens_in_the_end_of_allegiant_book.pdfIn PDF document text
    • https://s3.amazonaws.com/wumodukubaru/gobuwilomuzapujirajun.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/edb52e50-8dcf-4752-a4d7-ef6c659fe186/pozesebet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/359a00f6-d9fb-4666-88b8-af305d13e9f0/993973492.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25294024-6815-4bac-9b9c-5a5a35ff1ca1/what_type_of_pipe_is_used_for_diesel_fuel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d384fd3-1efb-4008-be56-1e1c448c58fc/wildgame_innovations_xb380_crossbow_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ab3b45b-1b49-4514-91c2-0ee028fe42e7/does_the_unofficial_harry_potter_cookbook_have_butterbeer.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f768.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF768 5520 bytes
SHA-256: 6d37852c2acabad325c0e1778a5b963b6b7887b4af8b1cdc4eaf37840faf9609
font_01_sfnt_off00010a34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A34 2360 bytes
SHA-256: c46f8cb3844744be413c1b80a1cea5bea384180a2cc82d2d41a98c1c09b34424
font_02_sfnt_off0001146c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1146C 11140 bytes
SHA-256: a345ce460357d53cbb7195142f33925f2075791a64239e552e2b5de0b3f17406
font_03_sfnt_off00013aa8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13AA8 16092 bytes
SHA-256: e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848

Open this report in the interactive analyzer, or submit your own file for analysis.