Malicious PDF — malware analysis report

Static analysis result for SHA-256 4668ca623af042fd…

MALICIOUS

PDF

67.6 KB Created: 2021-04-02 00:09:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: 7ace47080d8adba887324b8986a3f086 SHA-1: c5f8d0a9ecf1bb269b411ffce72681e70ef6c99a SHA-256: 4668ca623af042fde9b3d56b8b30539a46c0591a4de7e7acde41dae5e7862693
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as Pdf.Phishing.Trojan. The file contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, appears to be a lure related to a coloring book PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/aws?utm_term=the+nurse%2527s+anatomy+and+physiology+colouring+book+pdf PDF link annotation
    • https://guleritep.weebly.com/uploads/1/3/1/3/131383493/lefeditevumir.pdfIn PDF document text
    • https://zavowajasobi.weebly.com/uploads/1/3/1/4/131406950/9bf1f5f0371.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466689/normal_606533fe34718.pdfIn PDF document text
    • https://xubivotalo.weebly.com/uploads/1/3/0/7/130775972/4007096.pdfIn PDF document text
    • https://latibexuwer.weebly.com/uploads/1/3/0/7/130776356/watebazepevo.pdfIn PDF document text
    • https://ragurinibobuma.weebly.com/uploads/1/3/3/9/133986244/tonive.pdfIn PDF document text
    • https://sesuxaned.weebly.com/uploads/1/3/5/3/135349378/fiforajofe-nawujukuzed-tikesidojobiz-gelolakom.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415080/normal_602ca1e66c7ce.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390659/normal_60501895d7538.pdfIn PDF document text
    • https://pepesavujol.weebly.com/uploads/1/3/1/0/131071240/sefadiwogelijot.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371246/normal_600ff05de7e42.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380086/normal_5fe426e7aad86.pdfIn PDF document text
    • https://wajupera.weebly.com/uploads/1/3/4/7/134763514/e59c4069.pdfIn PDF document text
    • https://jajesawi.weebly.com/uploads/1/3/0/8/130813829/lazazujagesofig-moted-nusakowu-dibobewuledona.pdfIn PDF document text
    • https://jadozuvar.weebly.com/uploads/1/3/5/3/135312187/sitenafomudu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4425491/normal_5ff9f3963bd6d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463287/normal_5fe80d1a09d9c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://9de673a2-3b8e-40eb-bbf5-c0ad8e71a3da.filesusr.com/ugd/bd5c68_50031dee67404fe58a8892961d84c0d7.pdf?index=trueIn PDF document text
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_7cb8535036794df88014467cfe444b67.pdf?index=trueIn PDF document text
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_539a74d8cdb045efb7f96671dceaed3e.pdf?index=trueIn PDF document text
    • https://fc06435f-e709-4c80-b59d-96fa470c1a13.filesusr.com/ugd/bdc04d_b9bddc6bd2c840dda84117749d47b8f9.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee83.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE83 5740 bytes
SHA-256: 1019f5fe000150a910c0a13bb09fdd9e6feaab1d904d7bea714183c14d122f40