Malicious PDF — malware analysis report

Static analysis result for SHA-256 317810547c515557…

MALICIOUS

PDF

72.2 KB Created: 2021-04-24 11:19:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 71c2bc9afbe89f98d002b68d4cbc8ff3 SHA-1: ced6115fe0a8fc3236a47e64e3b19b9474a7464f SHA-256: 317810547c51555780696cea60dd26edf13a94d114350743d45319f18f18bbde
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, specifically an SEO link farm designed to redirect users to potentially malicious websites. The presence of numerous external links, including one pointing to a redirector with UTM parameters, strongly suggests an attempt to drive traffic to spam or phishing content. The ML classifier and ClamAV detection further corroborate its malicious nature, indicating it's likely a phishing or trojanized document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=ocr+french+vocabulary+list+pdf PDF link annotation
    • https://cdn.sqhk.co/letaziseb/YhcbAic/vemaximesepuzamu.pdfIn PDF document text
    • http://tokesuditetu.getenjoyment.net/mejaguf.pdfIn PDF document text
    • https://cdn.sqhk.co/kawonidoza/TidMRgj/22894056748.pdfIn PDF document text
    • http://zonizubiro.getenjoyment.net/tuesday_with_morrie_movie_online_free.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/muwemivumazulax/how_to_reset_hp_stream_11_to_factory_settings.pdfIn PDF document text
    • https://s3.amazonaws.com/xupizewuxere/59731424066.pdfIn PDF document text
    • http://wawikoduvebakap.onlinewebshop.net/53199786360.pdfIn PDF document text
    • https://8ac5c8e1-9174-427d-95c2-90bebb9f105a.filesusr.com/ugd/44b221_5b90a34d38d54cdcb87f5ba3748d2797.pdf?index=trueIn PDF document text
    • https://018ae6bf-5b6e-4bf7-bb5f-89503284f855.filesusr.com/ugd/b7931c_116f9cf103384450b42de289b9f08f48.pdf?index=trueIn PDF document text
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_84defe2d8ea54eb6a670b4414333b98c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gupawupigawono/fagomumugukuxamomujam.pdfIn PDF document text
    • https://s3.amazonaws.com/sikuva/liwipakukis.pdfIn PDF document text
    • https://s3.amazonaws.com/nagudo/aashto_asphalt_mix_design.pdfIn PDF document text
    • https://s3.amazonaws.com/libosokune/topuga.pdfIn PDF document text
    • https://s3.amazonaws.com/visagogijulep/bakuvusigirinamezim.pdfIn PDF document text
    • http://rixibedi.onlinewebshop.net/issuu_books_free_download.pdfIn PDF document text
    • http://kuxubakelixuzot.atwebpages.com/degree_of_freedom_mechanics_examples.pdfIn PDF document text
    • http://leparitupoxow.onlinewebshop.net/dibujos_para_colorear_cartoon_network.pdfIn PDF document text
    • https://s3.amazonaws.com/zoromexemuzid/celtic_garamond_pro_rough_font_free.pdfIn PDF document text
    • https://3df06c22-1e8a-4082-8cc2-a0fdc0609706.filesusr.com/ugd/d86e81_e1293e232afc4183b170a1352b0f7e45.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d97b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD97B 5572 bytes
SHA-256: cdfd681f710fb4ea3328108d7d5d989ea9ab0ef4c4cdf154b3c94d96d06f35dc
font_01_sfnt_off0000ec69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC69 11132 bytes
SHA-256: 21cba139d79dc3017941bbeeb0c9d5c914aac4172e44f83111f4ee65a20f74b1