Malicious PDF — malware analysis report

Static analysis result for SHA-256 40564b1f8e174604…

MALICIOUS

PDF

80.8 KB Created: 2021-04-30 00:32:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: ac7f0061fab12f2b8649439c78ccd4dd SHA-1: 8e62557c229f7a983ad68f96f8e964bad6f8502d SHA-256: 40564b1f8e174604fee194587e05d41f7430f61fdfd00c98a597a6bd551a4c57
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings suggest it functions as a link farm, embedding numerous external URLs, likely to manipulate search engine results or direct users to phishing sites. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, but no clear user-facing text. No scripts were extracted, but the presence of many external links points towards a phishing or SEO spam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=a+discovery+of+witches+season+1+episode+3+recap PDF link annotation
    • http://koxivesuvif.mypressonline.com/reludugobepivedotetisufi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408588/normal_5fc7d7f6f05b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387235/normal_600cbd25ebb17.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470839/normal_60463b61dd170.pdfIn PDF document text
    • http://rerixen.scienceontheweb.net/cv_making_tips.pdfIn PDF document text
    • https://sijalafad.weebly.com/uploads/1/3/4/8/134887162/furab_jexegafukiwi_podisuxixak_muvunonasomomo.pdfIn PDF document text
    • https://rimofemosi.weebly.com/uploads/1/3/4/3/134351632/gixoj.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4457318/normal_5fedf4f7a0534.pdfIn PDF document text
    • http://takipibimaxubov.sportsontheweb.net/jiwenawisafe.pdfIn PDF document text
    • http://zejirejajedudu.getenjoyment.net/nonixevekaduvoxulo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495385/normal_5fd1260cab9af.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8d0e11b-e944-4b7c-a23d-ba4d499c4792/87999868153.pdfIn PDF document text
    • https://e0d0d77b-4c00-4265-bc22-f0cc5cf11ada.filesusr.com/ugd/957eb4_0874ec75901e4bb281b49fd6ae791fdf.pdf?index=trueIn PDF document text
    • http://korofituzuxigu.onlinewebshop.net/rofiwanigu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44dd8589-5bb5-4c50-ad67-f6ba2763f10c/financial_peace_jr_age.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6828779b-5aee-4356-a272-21e33a90f39f/kirby_g5_vacuum_bags_near_me.pdfIn PDF document text
    • http://zesafemumibow.myartsonline.com/anyong_lupa_worksheet.pdfIn PDF document text
    • http://neloralo.myartsonline.com/litefet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/219eaeb3-577b-4ce5-a5d3-a58d188e7fba/mipevop.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30c37e14-9ad2-464d-b6a8-6836bd0e5ad6/do_ford_fiestas_have_transmission_problems.pdfIn PDF document text
    • https://944456f3-75eb-4cd6-bbfd-656b3713ada1.filesusr.com/ugd/2c8d66_dc6a01881e2e415cb29568484ddcaa43.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fca4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA4 5668 bytes
SHA-256: b34e655cbbb1c2cdc21c7179a9afbee02ab49d7dcb2e2dcf34641961932be706
font_01_sfnt_off0001101f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1101F 10468 bytes
SHA-256: 4f0e59c587fabc559e1aa95c8a7184d82ec4877ef81341a683db10aa5716b7fd