Malicious PDF — malware analysis report

Static analysis result for SHA-256 3506b9b9e3d938f6…

MALICIOUS

PDF

80.8 KB Created: 2021-04-03 05:59:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: b5caca90a7030e0fd5ef102ee48c8dbf SHA-1: bba600a27ac87b64ca73fbe94d55afc85d5178e0 SHA-256: 3506b9b9e3d938f6219b9468eb7abef4878a4aacd379a5062a04ab03b4d1eefc
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many of which point to disposable hosting and appear to be part of a link farm designed to redirect users. The document body, though heavily obfuscated, suggests a lure related to search results, likely to facilitate phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=autobiography+of+a+tree+in+1500+words+pdf PDF link annotation
    • http://arbitestpark.xyz/apgvb_mobile_apppmjib.pdfIn PDF document text
    • http://instapriz365.site/84262130793dtq9y.pdfIn PDF document text
    • http://babysampler.com/optiplex_7010_motherboard_chipset3hdyb.pdfIn PDF document text
    • https://cdn.sqhk.co/mosugukasiba/JljaigW/90_s_pop_music_trivia_questions_and_answers.pdfIn PDF document text
    • http://arevakar-travel.com/98563795314t8gmk.pdfIn PDF document text
    • https://cdn.sqhk.co/sixitigoxeto/hSuEDWE/mini_basketball_hoop_for_door_canada.pdfIn PDF document text
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdfIn PDF document text
    • http://eu-study.ru/child_care_center_director_daily_schedulevf6sn.pdfIn PDF document text
    • http://1offpark.xyz/5632902052alme.pdfIn PDF document text
    • http://bossyonlinex.com/47227440081iulhv.pdfIn PDF document text
    • http://natnat.fun/the_human_digestive_system_crossword_puzzle_answerswtljv.pdfIn PDF document text
    • https://cdn.sqhk.co/lituxopevuk/EBhcTSK/84859831596.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://21c505bb-01ca-4817-a549-4ed1ebba5040.filesusr.com/ugd/7d7105_ae67c85e030a4db0ae8bda65bb5857de.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lopadivupudexa/54688035192.pdfIn PDF document text
    • https://5ac9d038-517d-4536-97f6-676423289421.filesusr.com/ugd/b444d4_526229a3d2814ae997dc236caa04dd15.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a88a3793-d9fe-4611-926d-406fefae4ebc/43406675379.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c4a56c1-bf6a-45c1-a888-947e947cd435/ms_word_for_mac_free_download.pdfIn PDF document text
    • https://2ea3657d-1c4c-40dd-8491-58aeeb8dc933.filesusr.com/ugd/18a85a_abfe197146c349359d7b11490e6a4735.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tufujifinobiro/fundamento_prueba_catalasa.pdfIn PDF document text
    • https://s3.amazonaws.com/nufidibodudulad/zarixewusidagorobiwi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/922486b9-699b-41fc-aa1a-f5b82da53ca0/lugutowi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9d57049-dd1e-4996-9bf8-118a555726f4/71250055022.pdfIn PDF document text
    • https://2a082fd4-e93f-4b8e-9e59-408fa046b31c.filesusr.com/ugd/e334dd_80fe2f504dcb4b3680bbc2f1d57f8493.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f075.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF075 5792 bytes
SHA-256: dbc3560f488963eaf52b344b1c1c41a7c213e1219ce3bef9790af74962124786
font_01_sfnt_off00010444.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10444 10328 bytes
SHA-256: cce8b52d2de95da29ba903bd1c0d49183783004a33b22bbdb3866cc60d395be2
font_02_sfnt_off000126fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126FC 4324 bytes
SHA-256: ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230