Malicious PDF — malware analysis report

Static analysis result for SHA-256 33944ec1f625c264…

MALICIOUS

PDF

92.5 KB Created: 2021-05-05 18:36:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: d8a9b45c982d1a6b89de3baab2dc6b05 SHA-1: 8276285e67623bf314d93ec3d7109dd5bae82b89 SHA-256: 33944ec1f625c2642caf91011692d437d57e16149a84ba9de0a8695755adb5ce
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm or SEO poisoning tactic. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics, along with the 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' firings, indicate a malicious intent to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains a URL that appears to be a lure related to anime ratings.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=rising+of+the+shield+hero+anime+rating PDF link annotation
    • http://nuxuzuruguli.mypressonline.com/vepavugaxuzaxarikarejuxe.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4372073/normal_5feb3a45b1661.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4498883/normal_5fe3d9cc4642c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484363/normal_5fd050ec833e9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4389366/normal_5fdf7e8d36f86.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://5c51e3d7-2896-491e-a255-1b002e356b93.filesusr.com/ugd/5b6ce5_ca463d49e03f4a888a348577deddc9cc.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/385bcc7a-9ac6-4a84-8fe2-f2e7c33b2602/older_model_used_cars_for_sale_near_me.pdfIn PDF document text
    • http://manosotidokef.myartsonline.com/samovakifejaxozedosikis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/820fc0c6-c991-45bd-b51f-6f58d179982b/28900409635.pdfIn PDF document text
    • https://s3.amazonaws.com/gidibesuxi/pre_algebra_with_pizzazz_double_cross.pdfIn PDF document text
    • https://s3.amazonaws.com/dexodekelaseki/jigagebupilitegoxadituxib.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d83fb9f4-a68b-42ad-8458-eff953e57e3c/lifatijilemorajapav.pdfIn PDF document text
    • https://488c2ff9-9ff4-499e-8f11-525115e20b22.filesusr.com/ugd/8aba0c_3a300c64012e457790d73a5e7de49b8a.pdf?index=trueIn PDF document text
    • https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_88567773d7104f73b9fc126edf76c63a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f3aafeb-42f5-42aa-b85b-63f4bf8b0e91/tubuwevajemukozo.pdfIn PDF document text
    • http://jisijuvod.myartsonline.com/vabakomir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7cb0f85-2d56-472c-8616-5f2181bd1136/timeshare_french_riviera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e59fe179-05b5-44e1-a564-c0c22098ca9f/veligotukugeresepekun.pdfIn PDF document text
    • https://6b137298-3864-41c5-aaa3-11744000c3c2.filesusr.com/ugd/b916f4_473761bc7b2442aaa0202db146d6854c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c3fc783e-5708-4204-8587-bb8d57129ee1/84402266625.pdfIn PDF document text
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_729187dfb0254cd68fb26af94000a0fe.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1204e035-9687-4248-a214-6b21f6619506/how_to_remind_yourself_to_drink_water.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33a929e1-f1fb-4071-aac5-f7f0f382191a/what_does_it_mean_to_have_flashing_lights_in_your_eyes.pdfIn PDF document text
    • https://s3.amazonaws.com/davawina/purple_silver_eyeshadow_tutorial.pdfIn PDF document text
    • https://s3.amazonaws.com/dugibabafod/2005_ford_f250_diesel_manual_transmission.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA6D 5060 bytes
SHA-256: a1d4366a3a9e2435e803ab82faa1f188f2b8f95937a8cbac23153572bb196144
font_01_sfnt_off00010c41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C41 5328 bytes
SHA-256: 8a6a3c526ef16c847e8d9d87333b5a7bdb44b440692a08ebed15f9c99512f8d3
font_02_sfnt_off00011e31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E31 2048 bytes
SHA-256: 1390e94d259fb5ede2f573fd9653a3e5971662609d773e0d6b3a5325118e14f4
font_03_sfnt_off000127ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x127AD 10572 bytes
SHA-256: 44aabc87b4036870a676d7b4928e9446d356b50b0a15a4f4533e3f3de2aa672c
font_04_sfnt_off00014be3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14BE3 16760 bytes
SHA-256: 26d017e4049bcf83f4957fe540ff708aae88258197f555b9608a6a8a60381b19