Malicious PDF — malware analysis report

Static analysis result for SHA-256 341303b4d3394135…

MALICIOUS

PDF

84.7 KB Created: 2021-04-11 06:43:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 323090ab56ca699f057d99c2ed028425 SHA-1: ec05a6d56ac3b63265110958c5fe0b8178c410a4 SHA-256: 341303b4d33941351eab5b459f55c8191e47c069a1f43cab61fb68207495ce77
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on disposable domains and appear to be part of a link farm designed to attract traffic. One prominent URL, 'https://bologen.ru/strik?utm_term=how+to+do+android+app+development', suggests a lure related to app development. The ML classifier strongly indicates maliciousness, and the PDF structure with numerous external links points towards a phishing or SEO manipulation tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=how+to+do+android+app+development PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4375716/normal_5fdc49f84a8d6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4413850/normal_5fdcdb673800c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446165/normal_6028f8256f61e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4379606/normal_5ffa7fa21897c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415951/normal_5fe87a1e50ec6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459318/normal_60499e015830c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475000/normal_6006d48eaba43.pdfIn PDF document text
    • http://tuvoreda.scienceontheweb.net/vonagasigakafap.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471992/normal_6006246205025.pdfIn PDF document text
    • http://komaxinatobofe.medianewsonline.com/75207931384.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://6205d428-d5dc-494e-bbc3-e2236f9d811e.filesusr.com/ugd/6885a6_e5ddb06a98c9490c9031bcd4e5db5770.pdf?index=trueIn PDF document text
    • https://b18ac5c8-c825-4c59-a0a1-290c879ce4f6.filesusr.com/ugd/1a0fde_5eb81e4c76c54dc58f0b5af3553b171f.pdf?index=trueIn PDF document text
    • https://0d555108-1732-4721-8d72-76d747b2053a.filesusr.com/ugd/1b0481_c3b3e3bdb1d5470d8991fafb24977aa2.pdf?index=trueIn PDF document text
    • https://b860438a-ced3-4995-86f2-ad9a24e3f15c.filesusr.com/ugd/938eb2_06776cd10b624291aed2012ed0d8b1f7.pdf?index=trueIn PDF document text
    • https://0e75ab8e-f6a1-4360-bef2-1d94e06fde4e.filesusr.com/ugd/c0518c_228222c833794a858647a1fca422880d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mukut/todo_sobre_el_capitalismo.pdfIn PDF document text
    • https://fb075467-9d00-46c6-93ac-2b777f5e584b.filesusr.com/ugd/8bcd66_c67ac03749594d1882ee2ef41f194106.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/robumuduluwise/samsung_smart_tv_remote_manual_2016.pdfIn PDF document text
    • https://s3.amazonaws.com/davawina/why_wont_my_garage_door_opener_light_turn_off.pdfIn PDF document text
    • https://4edd92ed-4e96-4c3d-a837-a16c7246ae9e.filesusr.com/ugd/7c3149_50ff31c7ce79452bac34cf60cd5e6cbc.pdf?index=trueIn PDF document text
    • https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_39ee0a02693a4d5d883518f695a05115.pdf?index=trueIn PDF document text
    • https://2aa89031-56ac-4de1-b828-aabe99840ec8.filesusr.com/ugd/cf14a4_0713b944901a4cbfb15cfa094b79b015.pdf?index=trueIn PDF document text
    • http://tibamupebunod.atwebpages.com/atlantis_bahamas_water_park_map.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ba0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BA0 5040 bytes
SHA-256: 7f81241ef0ea5c326801a5e29cde72222f0066268376af97b7718ce7ac3f72df
font_01_sfnt_off00011cc4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11CC4 12052 bytes
SHA-256: 2fb3610bc428fe20a8829db59a1caf4d32bf61e2ae2c6298ffdb20e8838957a8