Malicious PDF — malware analysis report

Static analysis result for SHA-256 431323650832ebd2…

MALICIOUS

PDF

77.1 KB Created: 2021-04-15 00:42:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 152ed06fb10392c7ec163f0ce8afa45a SHA-1: 99b772a197d86c567b712a1ba7908959e600e773 SHA-256: 431323650832ebd2004b1299b839c9618efab7427e34021891804930c95a815c
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to disposable hosting and redirector infrastructure, indicating a link farm designed to distribute malware or phishing content. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' strongly suggest malicious intent. The document body, though heavily obfuscated, contains a string related to 'hp elitebook 2560p bluetooth drivers download', likely a lure to entice users to click the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=hp+elitebook+2560p+bluetooth+drivers+download In PDF document text
    • http://solent.bar/active_release_technique_muscle_knotswo1yt.pdfIn PDF document text
    • https://gimeboxevamovuv.weebly.com/uploads/1/3/4/4/134494840/vizabupewop.pdfIn PDF document text
    • https://tugalebuwe.weebly.com/uploads/1/3/4/0/134012885/lavedud.pdfIn PDF document text
    • https://jubagidegugidok.weebly.com/uploads/1/3/5/3/135317658/2676f67bfa0c5.pdfIn PDF document text
    • https://cdn.sqhk.co/ximegawaso/jhgcko5/podefifunosawugadu.pdfIn PDF document text
    • https://cdn.sqhk.co/duwenaxiseve/AaZqTjh/bodaj.pdfIn PDF document text
    • http://raisinslabs.club/93429179707ww80m.pdfIn PDF document text
    • http://mediaverifiedbadge.com/ladorj0c39.pdfIn PDF document text
    • https://xuvesebitewetok.weebly.com/uploads/1/3/6/0/136086761/613617.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://79d86aa2-23c4-4aa0-a0dc-c16ac59ae55d.filesusr.com/ugd/ecb701_af7ba53f63b143a89d7f339553f0a869.pdf?index=trueIn PDF document text
    • https://203aa715-7352-46b1-b16b-5d0aeeaa27a2.filesusr.com/ugd/0582e0_007caf1f19014dcdb826eb2f0d41bb5c.pdf?index=trueIn PDF document text
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_d85e757f76d84f14a3b444eab6ea780c.pdf?index=trueIn PDF document text
    • https://13006a6e-9b3f-4191-9e3f-064114488741.filesusr.com/ugd/34464a_555c6034e1ed45369e58f2033281b8b8.pdf?index=trueIn PDF document text
    • http://xugadizedema.rf.gd/22617570298.pdfIn PDF document text
    • https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_55a0b2b51a354428ba6670ac768d11ee.pdf?index=trueIn PDF document text
    • http://gapefixuwaxa.epizy.com/78533277970.pdfIn PDF document text
    • http://rotirokarovul.rf.gd/bioassay_in_pharmacology.pdfIn PDF document text
    • https://6ce95562-7558-49ee-a7b0-b3003db3b0e9.filesusr.com/ugd/d13e1f_b91e392d71f8462cac3069e0783aab88.pdf?index=trueIn PDF document text
    • https://2978fa49-077f-489e-bef2-0e177375ffd3.filesusr.com/ugd/50ba8f_d35fe55d469d47168de94e908eca0c8e.pdf?index=trueIn PDF document text
    • http://jilufadipubo.epizy.com/xabununopufazamimiji.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edf5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDF5 5916 bytes
SHA-256: 9bc2369ffa9553510bc7c81cf6e21801ebc7a0a0e40f4738496ff4d29cc63bff
font_01_sfnt_off00010221.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10221 10704 bytes
SHA-256: 5a382e8dc4cec1532d75eda47e6c3bef4272659d15af350e35dfb63b5c77ad4a