Malicious PDF — malware analysis report

Static analysis result for SHA-256 379c048fbb4c4682…

MALICIOUS

PDF

81.6 KB Created: 2021-09-13 13:17:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 5c83cea8e024587d1d777de178c971c3 SHA-1: 90f2f2793305b965626cb5ddc200145c74a2b5ec SHA-256: 379c048fbb4c4682fdb9c19629685784c469219585c9284999c0dcc58c5c6189
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for exploiting vulnerabilities or redirecting users to malicious sites. The heuristic PDF_SEO_DISPOSABLE_LINK_FARM and the numerous external URIs suggest an attempt to distribute or host malicious content. ClamAV detection further confirms the malicious nature of the file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ascend.sut.ac.th/ce/2017/src/plugins/ckfinder/userfiles/files/bariravenosopowagabe.pdf In PDF document text
    • https://palet-school.com/files/files/54970218121.pdfIn PDF document text
    • http://rideabikenews.com/user_img/files/zetepikisorofok.pdfIn PDF document text
    • http://aquamedia.cn/ckfinder/userfiles/files/26764069585.pdfIn PDF document text
    • http://imobiliariaimperio.com/files/files/jakisaxoge.pdfIn PDF document text
    • https://reifenscho.de/wp-content/plugins/formcraft/file-upload/server/content/files/161356c4e49cbe---71086566955.pdfIn PDF document text
    • https://poldercuptrofee.nl/site/admin/ckfinder/userfilesfiles/82332555991.pdfIn PDF document text
    • https://arte-salon.ru/upload_picture/1078063908.pdfIn PDF document text
    • http://afro-safari.com/upload/files/74999784047.pdfIn PDF document text
    • https://www.medicalbi.com/ckfinder/userfiles/files/15302268904.pdfIn PDF document text
    • http://futureinfashion.com/ckfinder/userfiles/files/23441492932.pdfIn PDF document text
    • http://uniquecharacters.com/upload/files/vuxoxomek.pdfIn PDF document text
    • http://speednewslive24.com/assets/ckfinder/core/connector/php/uploads/files/48643473338.pdfIn PDF document text
    • https://lawtutors.co.uk/js/ckfinder/userfiles/files/83456204470.pdfIn PDF document text
    • https://cremyco.com/app/webroot/docs/file/mebepudolepuze.pdfIn PDF document text
    • http://nnk.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1613c523e74ca7---mazunawafag.pdfIn PDF document text
    • http://theurbanbazzaar.com/userfiles/file/wubopisemaratu.pdfIn PDF document text
    • https://juhaszautovill.hu/userfiles/file/80454931220.pdfIn PDF document text
    • http://spielundlicht.de/content_provider/documents/files/latiwivelorasasokivolir.pdfIn PDF document text
    • https://argumentua.com/i/file/76590870185.pdfIn PDF document text
    • http://closehorses.com/userfiles/file/paxeduzujirepu.pdfIn PDF document text
    • http://machulski.com/public/file/53889820137.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=ogilvy+on+advertising+pdf+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d612.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD612 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000ee24.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE24 18728 bytes
SHA-256: fa104ea6e4657507c743ce7c85ee44ff81574614b07b195a1a21c0901faf61ad
font_02_sfnt_off00011f4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F4D 10964 bytes
SHA-256: 95cf0d703affc288458694b2448d7efa0fee4afe0e5f7d66eb08093948a5e693