Malicious PDF — malware analysis report

Static analysis result for SHA-256 452a3b761985c3d3…

MALICIOUS

PDF

87.2 KB Created: 2021-04-24 16:55:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: e9749bea154905dbbf3af90a948961e9 SHA-1: 73415fc5e6182cf9118f08c776b86a1e26b73cba SHA-256: 452a3b761985c3d33bcda05c744dcdd6344f64f8c10c96e7b1409dd6e524bff6
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses a LOLBin command-execution lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=final+fantasy+x-2+ps2+walkthrough PDF link annotation
    • http://onlyforyou.space/sheet_extrusion_die_design0flsp.pdfIn PDF document text
    • http://idealica-co.site/marantz_nr1606_hdrf3it4.pdfIn PDF document text
    • http://hq-cleartv.info/9085050553250ihg.pdfIn PDF document text
    • http://creditscorehelp.info/grade_3_afrikaans_reading_books7z19d.pdfIn PDF document text
    • http://lighttravel-ng.com/41142230254dabka.pdfIn PDF document text
    • http://idealica-italy.site/fertile_lands_papyrus_answereo5o7.pdfIn PDF document text
    • http://mybatut.store/28308898631eypex.pdfIn PDF document text
    • http://ijmalan.xyz/bojipatedigisifepiepw4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366666/normal_604d8d6089db0.pdfIn PDF document text
    • http://fortuneo.biz/learn_powershell_in_a_month_of_lunches_2020nwwvp.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4476285/normal_5ff16d56de8c5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420745/normal_5fed10be4563a.pdfIn macro / runtime command snippet
    • https://cdn-cms.f-static.net/uploads/4390680/normal_5fe632322c492.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/29fbcaf0-626f-4c65-a19c-28c4dc579cb7/dulerene.pdfIn PDF document text
    • http://renepipelusibav.rf.gd/ferret_diet_guide.pdfIn PDF document text
    • http://fibotemirazopo.rf.gd/jaina_build_guide_hots.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33e9eb1e-38d0-4b83-b01c-add959fabab0/91350126065.pdfIn PDF document text
    • https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_bb320e13eb3347a290291abf412ce8a6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f088c08-6c6b-4546-83de-3757eb5a2407/contour_next_ez_test_strips_near_me.pdfIn PDF document text
    • http://xutasiwewuzaf.rf.gd/letter_cancellation_worksheets_printable.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6835223-9735-44c6-93c9-8c1b7eecc83a/4681437980.pdfIn PDF document text
    • https://def26600-86c9-4442-a738-094ddf2992d1.filesusr.com/ugd/eb5a6a_96a04fdf429c484b9b9fd54a8e168587.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001188e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1188E 5608 bytes
SHA-256: 60f0a1084a6a515401943cd7285c721f456e6881f8359226dd595be191fd34e1
font_01_sfnt_off00012bd2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12BD2 10400 bytes
SHA-256: 306529b4be77a7f4a291318916f7252b8e4800cc71456068eec48722afb7b64c