Malicious PDF — malware analysis report

Static analysis result for SHA-256 428de9a4bffedf23…

MALICIOUS

PDF

83.5 KB Created: 2021-03-18 09:43:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e00faa099385c807f9e63d41311a5e7a SHA-1: 333ab846cba31c228bc69f4027eacf06275bc9ff SHA-256: 428de9a4bffedf236813210b7ef689da1ecbfa1eaffca71be7e58ce028ec6fc8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a link farm. It contains numerous external URIs, with one notable example being https://jacksth.ru/strik?utm_term=what+is+the+point+of+the+phantom+of+the+opera. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of a link farm strongly suggests an attempt to redirect users to malicious websites for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=what+is+the+point+of+the+phantom+of+the+opera
    • https://static.s123-cdn-static.com/uploads/4405922/normal_6003ed372e9a9.pdf
    • https://static.s123-cdn-static.com/uploads/4367303/normal_5fca79b5e9327.pdf
    • https://cdn-cms.f-static.net/uploads/4407989/normal_600a40db56e4b.pdf
    • https://cdn-cms.f-static.net/uploads/4465537/normal_60206f5f82980.pdf
    • http://teren.fun/abinaya_song_free_mugen_rao0jvr9.pdf
    • http://vseti.life/real_madrid_vs_bayern_highlights_2018mwv4k.pdf
    • http://prechambre.xyz/vutaranatatidototigmz1m.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_dc5da83323e44be6bd00ecc18e17c307.pdf?index=true
    • https://2ed821ec-8078-4e74-b11b-c5cec6a88262.filesusr.com/ugd/65e777_38db3ebe9e1840eba90aae4f05a9c572.pdf?index=true
    • https://da18e6a8-d720-42de-a88c-3f13daad7efb.filesusr.com/ugd/08fe48_dacb3037e59646a488fd7e52692c331a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6a321d1-4f27-4be8-912c-6ff5ecb38b5c/pepopoxipopabedopiwik.pdf
    • https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_ffc5456e36b744d28dd6292dc24bb3b5.pdf?index=true
    • https://bf5f3f24-cfb9-4aec-9f01-83e6d863dc5b.filesusr.com/ugd/1f4526_70efea6896514a279505bdc1c2b429af.pdf?index=true
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_e97ea163d4ea45118ea507f3c53a7320.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e71c3ca4-7294-4ef8-995b-0afec42f54dd/96648535691.pdf
    • https://ca30e0e0-ecf2-44ab-b6a2-fe26291458be.filesusr.com/ugd/34e21e_e50ffde5b64749419b670a60dcdd9193.pdf?index=true
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_a168f31c03ef4722aaed95a76c18afac.pdf?index=true
    • https://uploads.strikinglycdn.com/files/373396cf-c305-4230-8c09-6652e804b27e/price_comparison_worksheets.pdf
    • https://da9d63b4-fbfd-4f6f-88e7-06ac0d76355b.filesusr.com/ugd/ca300b_6db101c3c10e431abadbcab917b40394.pdf?index=true
    • https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_63c555e47eae47b78d36490a52b0c14e.pdf?index=true
    • https://ee6e56e8-c390-49d2-810b-d4defef8b9c1.filesusr.com/ugd/eda187_5478035eed9e4ed58dd164b172c8dc34.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001093a.bin
f1114876174b41c73548ffcf7bb5172e6a918cdc9af424bfb83be14a0e5fa639		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1093A 5120 bytes
font_01_sfnt_off00011a8a.bin
6311ad0b79bc489f7bc61a3d8e91a8821522a9dbab34ddbbaff7fbf96408588a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A8A 11356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.