Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f4d3495fc0603ce…

MALICIOUS

PDF

84.0 KB Created: 2021-03-30 01:53:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20
MD5: 02f3ad2eed18a46f8c11a25f75c95d58 SHA-1: 27236f25f82b8347e3663966f476fbb4f6786361 SHA-256: 3f4d3495fc0603ce7c916ca583bbc6dd1292514118785ded91dc8a1c8717ff69
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that redirect to a link farm hosted on disposable infrastructure, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics. The ML classifier and ClamAV also flagged this file as malicious, specifically as a phishing or trojan variant. The primary purpose appears to be directing users to malicious or phishing content via the numerous URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=liftarens+guide+till+galaxen+bok+%25C3%25A5lder In PDF document text
    • http://netewe9.xyz/kaserezirebuvujomijejqajys.pdfIn PDF document text
    • https://cdn.sqhk.co/kojetovukufo/6kjficl/toilet_paper_cat_running_out_again.pdfIn PDF document text
    • https://latopilufazi.weebly.com/uploads/1/3/4/0/134017217/nonoliropa.pdfIn PDF document text
    • https://xatotaga.weebly.com/uploads/1/3/4/7/134726025/fb570d32d8.pdfIn PDF document text
    • http://toguvuveleguna.22web.org/app_statistics_google_play.pdfIn PDF document text
    • https://cdn.sqhk.co/lexaxemiji/jcjilig/download_walmart_grocery_shopping_app.pdfIn PDF document text
    • https://cdn.sqhk.co/bapuparit/jeicggW/conquest_of_bread_pages.pdfIn PDF document text
    • http://drilltech.info/can_you_sleep_in_monthly_contact_lensesjg7gj.pdfIn PDF document text
    • https://cdn.sqhk.co/zarepowake/giv8Djx/41535669171.pdfIn PDF document text
    • http://selozufuwadapuw.66ghz.com/77068474953.pdfIn PDF document text
    • http://dressnbuy.com/gelojofizazopiwuxegetuo7ani.pdfIn PDF document text
    • http://karnaval.host/bagetixefebuguw4ywr.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/kewuxejikiwe/93706604844.pdfIn PDF document text
    • https://s3.amazonaws.com/zobuwubedak/facebook_code_generator_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8276169-97f6-4de5-b5f0-ed787b856d14/how_to_clean_a_smoke_machine.pdfIn PDF document text
    • http://suwojubomitela.epizy.com/brazil_culture_and_traditions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a1954c2-7259-4830-89a5-43e92dd82b8a/gujojefegopuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5486422-0598-414e-87aa-14ae22db7a3d/mimamiposi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c547294-bc5e-4d45-ad0a-dfba6bc6890f/slimpar_56_chauvet_lights.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010776.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10776 5592 bytes
SHA-256: 8f090703fe972f8779620376a0ca9951db270e8e43f2b4be798f29bb18dc76ee
font_01_sfnt_off000119f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119F6 12116 bytes
SHA-256: 3fd5334ca421432e7070ba94d225d33547541747c077a95882c40bfe40a95da3

Open this report in the interactive analyzer, or submit your own file for analysis.