Malicious PDF — malware analysis report

Static analysis result for SHA-256 49852830600fdbab…

MALICIOUS

PDF

76.7 KB Created: 2021-06-09 16:07:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 2be15c5e3b86a6c94a9a0c1790c141f8 SHA-1: e2cf816ae62f22d8b04b5c46c58cac19e8ebaf58 SHA-256: 49852830600fdbabfead46cad64adb806e5a1e47cfd7a325ed87583878713810
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which point to disposable hosting and are part of a link farm, suggesting a phishing or malware distribution attempt. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document may be instructing the user to decrypt a password-protected archive, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/pbw?utm_term=gta+san+andreas+free+download+500mb PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4376870/normal_604352332a8bf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482623/normal_600967f80e9a0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447273/normal_601dae5c4647b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465015/normal_6015c56f9402a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476281/normal_60591407a8865.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/42be5ab5-f659-4deb-ad3f-3ffc95dbd0a5/siemens_hearing_aid_app.pdfIn PDF document text
    • http://gezebal.pbworks.com/w/file/fetch/144754785/ligixavaxaxolutonez.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec3c01b3-b2e1-42be-b54c-0fc8e31b56e0/rovovenepasobulunevi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6380187-141f-474e-aa3c-49ae67a1e5ef/verizon_fios_router_wiring_diagram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed48ed1e-e438-4969-93b4-96fea1ed13fb/tubabafag.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a6e4e4c-80e1-49c6-b978-de88ca780c52/803576321.pdfIn PDF document text
    • http://sepaxebi.pbworks.com/f/67611536842.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb35b000-a5ce-473f-abe5-64703125772e/what_are_all_living_things_in_an_ecosystem_called.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c3ad0a2-2d59-4c4b-b3e6-6f7e6aeeeffb/33906785969.pdfIn PDF document text
    • http://fepazonavu.pbworks.com/f/simasikomivovezerixugasum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcc882e3-1de1-4198-b0ec-dcda147005db/nepipigipojumipiredajemi.pdfIn PDF document text
    • http://divogatupum.pbworks.com/f/331360065.pdfIn PDF document text
    • http://xuruzinijub.pbworks.com/f/how_do_you_change_the_combination_on_a_sentry_safe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1871bb02-7cdd-40e1-bb7b-bcf6b9a103ce/pet_sematary_2019_ending_reddit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2e2ba4b-15b9-46e2-bcb1-d5e706108e08/ulysses_poem_essay_questions.pdfIn PDF document text
    • http://lekadebixe.pbworks.com/w/file/fetch/144737400/how_to_submit_centrelink_medical_certificate.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecc2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECC2 5580 bytes
SHA-256: 8a854865715aa119359b3c9515e98c89f4e43398da23ccafd6dba78f9bab17fc
font_01_sfnt_off0000ffb8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFB8 11348 bytes
SHA-256: 4650d411114b84903fe7aa8428d5abb7defd33a1a87dab2e7e44c2aa3c81dce2