Malicious PDF — malware analysis report

Static analysis result for SHA-256 491c1be082a626d3…

MALICIOUS

PDF

77.6 KB Created: 2021-03-06 13:55:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 539bab6bded8a7c6996c49bf34635a02 SHA-1: e522bc18a3a87d30e00d1671064c88b3d56b8468 SHA-256: 491c1be082a626d3a982718182acbaf936b7f8da8fd8ce51b13a781af0b88282
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by multiple heuristics and a machine learning classifier. It contains a link farm with numerous URLs, including a critical finding of a link to known malicious redirector infrastructure. The primary malicious activity appears to be redirecting users to external sites, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wix?keyword=crash+course+animal+and+plant+cells+worksheet+answer+key In PDF document text
    • http://zajowidased.iblogger.org/wafit.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415524/normal_6036c2ff2991f.pdfIn PDF document text
    • http://gipoletuzemixol.iblogger.org/retebopiterodisetijew.pdfIn PDF document text
    • https://tazuwadafif.weebly.com/uploads/1/3/4/8/134857375/9390739.pdfIn PDF document text
    • https://gutavavoz.weebly.com/uploads/1/3/4/0/134000423/nigasimu.pdfIn PDF document text
    • https://xagaxomopezegif.weebly.com/uploads/1/3/4/3/134355140/09553ce936e9e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481280/normal_601ef38a636b3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426059/normal_5fefcd53e41fb.pdfIn PDF document text
    • https://kewidanuratug.weebly.com/uploads/1/3/5/3/135323433/fupifik.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://98e80eac-0673-4bf9-a3de-4132461903b3.filesusr.com/ugd/1acd69_9bd1bd1ae4fc4f4aab51f0bac63d0fb6.pdf?index=trueIn PDF document text
    • http://dokebipozo.epizy.com/bookworm_adventures_2_with_crack.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b557ced1-5643-4830-96c5-8d7c15465d83/figarijabesugemawide.pdfIn PDF document text
    • https://d670dda7-df53-4ef1-8eda-d3256df28744.filesusr.com/ugd/dbbbec_e6ad8755158c4aeda8344c5c2b966dba.pdf?index=trueIn PDF document text
    • https://f3dcd8e3-6656-4b47-a81e-a993d3c4f2a1.filesusr.com/ugd/aa9ef2_0267341505cf4df693aea89e51feaa7b.pdf?index=trueIn PDF document text
    • https://77bc4ea4-de20-41c0-a463-a5315db628d9.filesusr.com/ugd/2c69e3_cdf09dcf5ba6475bb96dbd6bdf55e51b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/78a8e821-e65c-4a12-925f-4602325d80cc/lopi_1750_wood_stove_for_sale.pdfIn PDF document text
    • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_a8063098f2714cb5ba1fb4ad1034bf07.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c6fcdd5-06a5-4180-a37e-577cb1b19696/full_reset_moto_g6_play.pdfIn PDF document text
    • https://a97be2a3-bfb5-42de-bba9-b145341b31aa.filesusr.com/ugd/1f2860_7e9f77a8aa7148608f8119d5a59a8f30.pdf?index=trueIn PDF document text
    • https://6478d21b-237c-41b5-add8-96d7b9819624.filesusr.com/ugd/c7ef1a_65d51b9d792c4bff9194c4fe33a40312.pdf?index=trueIn PDF document text
    • http://kafopazam.epizy.com/vigo_video_app_mp4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1a34dce-9a08-4585-9850-fde4ca8135c8/war_is_a_racket_book.pdfIn PDF document text
    • https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_a9f75857abc1472e88bb2081322bc823.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6de4364e-03a5-436f-be3e-7f991c81940c/lmites_de_funciones_trigonomtricas_ejercicios_resueltos.pdfIn PDF document text
    • https://5b3fc17b-a4fb-4144-9a53-ff617e35bc6a.filesusr.com/ugd/696117_9d314c729836434a935e99cebc546744.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1D1 5476 bytes
SHA-256: d397221177f3d55cb89ecf8d62709b1f9f067bba9ef0bb5da3ca44cbc721771d
font_01_sfnt_off00010457.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10457 10420 bytes
SHA-256: 0cc169df7918a52f3d927ea2cfb771146d8a58bb22b915af963bfa857a155cfe