Malicious PDF — malware analysis report

Static analysis result for SHA-256 40bb89d08711a9ca…

MALICIOUS

PDF

71.5 KB Created: 2021-05-26 23:50:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 82586903982cfd6a4fb390cbb81852ae SHA-1: d04e1eed8d8701d07720effd269803dbb488b11b SHA-256: 40bb89d08711a9ca9dc71a595454b193341463377395dc25e08d4987706618e7
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics as a link farm and by a machine learning classifier as malicious. It contains a large number of external links, many pointing to disposable hosting, suggesting a phishing or SEO manipulation scheme. Although no scripts were explicitly extracted, the PDF structure and the nature of the heuristics suggest potential for embedded JavaScript to facilitate redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=how+to+get+a+journeyman+card+in+mi PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4482190/normal_5ff895ce75fce.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463788/normal_6029093833d4c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4479460/normal_6002246baf837.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420020/normal_600cebf674f96.pdfIn PDF document text
    • https://wopufibirebosaw.weebly.com/uploads/1/3/4/4/134466277/c7ea7ef04.pdfIn PDF document text
    • https://nikigefewava.weebly.com/uploads/1/3/0/7/130775032/5274306.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459034/normal_5fdf46d4d1f26.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404980/normal_601e3b240d94b.pdfIn PDF document text
    • https://wetugaremuzen.weebly.com/uploads/1/3/5/2/135298520/45762b22c935b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4381287/normal_5ff9c10cf07ae.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381529/normal_605425dacf4a3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4448337/normal_5fe1210deaf59.pdfIn PDF document text
    • https://sapakuso.weebly.com/uploads/1/3/5/2/135297556/f9170479.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370088/normal_60283fcbdb494.pdfIn PDF document text
    • https://tuderosuf.weebly.com/uploads/1/3/4/6/134652240/xugugikoko-notuzofogifig-mofezis.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/af9f7a40-7a39-458a-a219-cdb4318b2af5/the_tragedy_of_macbeth_release_date_coen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47594c3e-16ab-4a86-9bcd-ba90b88fccf1/negotiable_instruments_act_1881_in_tamil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/257b7345-c9ef-4760-9294-87b839284729/vufavefigabozinabob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/863f93cd-b0a1-45b5-991f-feea5a1e3fa2/30806001684.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e896a078-ee6a-4789-a646-be2152cef358/50366310753.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a50111e-6303-4f12-b31e-be86ffdde67a/final_fantasy_13-2_walkthrough_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7bd639bc-6bbf-4faa-bd85-c704c6287451/45887573790.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/117e7217-6cf7-4729-8c14-71d30907619c/a_second_course_in_statistics_regression_analysis_7th_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cea016c-20df-498a-9479-abc96aa00779/books_like_pillars_of_the_earth.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE8F 5164 bytes
SHA-256: b1f597c14c84f89e85d2b01c4f794ac4b672e40b265983c80e02fe633dc2abe5
font_01_sfnt_off0000e01a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE01A 9888 bytes
SHA-256: 1cb7bb85552c0c5991bd4ff43be7446ac73c787126bb14e8f9d630a5105b2128
font_02_sfnt_off000101d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101D5 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c