Malicious PDF — malware analysis report

Static analysis result for SHA-256 30f60fa66ce68079…

MALICIOUS

PDF

96.5 KB Created: 2021-03-17 15:56:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 5fab26c5573b36f5a85f1a202d6d2fe4 SHA-1: 592c848cafd2d7f9c6a312e00f8a1154031f9cee SHA-256: 30f60fa66ce680798d4f04420d04d54e37940319218bbffb594b8d6ef1585b72
346 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, specifically flagging it as a credential phishing lure impersonating UPS. It contains a link farm with numerous external URLs, many hosted on disposable domains, and instructs the user to download a password-protected archive, a common tactic to bypass gateway security. The presence of embedded JavaScript, though obfuscated, suggests an attempt to execute malicious code or further facilitate the download and execution of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 10

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://polovetanofup.weebly.com/uploads/1/3/5/3/135330247/tejatugewesug.pdf.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=uc+browser+windows+phone+app PDF link annotation
    • https://polovetanofup.weebly.com/uploads/1/3/5/3/135330247/tejatugewesug.pdfIn PDF document text
    • http://lofajemami.sportsontheweb.net/19369274833.pdfIn PDF document text
    • http://about-igsupport.com/69543640310n2bp.pdfIn PDF document text
    • http://nakodinita.scienceontheweb.net/what_phrase_signals_a_compare_and_contrast_text_structure.pdfIn PDF document text
    • https://sevafigetof.weebly.com/uploads/1/3/4/9/134902911/5962882.pdfIn PDF document text
    • http://piter.store/rugaferimapifekafudiwevm1iox.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403685/normal_600776ed04923.pdfIn PDF document text
    • http://opt15.ru/dugupuvaxogawalegi8z9dh.pdfIn PDF document text
    • http://nubuxeki.scienceontheweb.net/4th_grade_math_worksheets_printable.pdfIn PDF document text
    • https://dufofumiwiz.weebly.com/uploads/1/3/5/3/135309849/favejatutev-balowelir-losakisota.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4467287/normal_5ff4c20e4ea37.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373770/normal_601baa3571ce4.pdfIn PDF document text
    • http://alphabitx.com/game_basara_apk_modmui3y.pdfIn PDF document text
    • http://smeshnoykir.space/vegetable_calorie_chartkijt3.pdfIn PDF document text
    • https://fiwozipuwawew.weebly.com/uploads/1/3/0/8/130814157/796385.pdfIn PDF document text
    • https://derovidexaw.weebly.com/uploads/1/3/1/3/131382126/sosawexagevuzoke.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/5eae3822-d175-43b3-af19-5a3b286ebc7f/watts_per_meter_squared_to_temperature.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dbeba835-dcc8-4895-9b59-aebf2185158c/ryobi_10_portable_table_saw_dado_blade.pdfIn PDF document text
    • http://jabejanaboz.atwebpages.com/6642964420.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1bf44bcc-2042-40e3-b28d-d8c5a0acc867/68633113870.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3ae4a27-0395-4e27-9064-3f9dd1c3e636/my_roku_remote_wont_work_with_new_batteries.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e178b78f-9fe5-44f9-81be-041412a4ecc4/remington_700_stock_mounting_screws.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a52475a1-2453-4f9f-a6d4-7a9b75b0d43a/nenore.pdfIn PDF document text
    • http://visugog.myartsonline.com/pdf_to_word_converter_software_download_for_pc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eaf63e93-5cda-44f6-93ad-7df9a8279715/lakukazudifusosur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cbcdf87d-5f08-4a81-9a31-3941ee260f51/sunbeam_warm_mist_humidifier_user_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012f98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12F98 5060 bytes
SHA-256: 1a268a8dc5e05e3f6450ff1a9e9bf1b796e311f9342623ed070ee75a4664f9c6
font_01_sfnt_off000140b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140B7 11096 bytes
SHA-256: dff6dad50a9b40f3d5e77136ffb1df77fd40343112092a7431878c35d0eb4b09
font_02_sfnt_off00016682.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16682 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2