Malicious PDF — malware analysis report

Static analysis result for SHA-256 4af6a9db7c070230…

MALICIOUS

PDF

84.0 KB Created: 2021-06-12 12:25:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: c4cedbc78fa61635a87d3ff71cb14b39 SHA-1: 91434e0bf03dd656723c63cccc10d9a9029862dc SHA-256: 4af6a9db7c0702300cf5ed504dffe06efeb8bb672b9b7f185e87302583fce60a
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The embedded document body text, though corrupted, contains a URL that appears to be a lure for downloading music. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/pbw?utm_term=download+music+dancin+krono+remix PDF link annotation
    • https://zulewawasukuxu.weebly.com/uploads/1/3/4/5/134581955/pokanu-wogefuvepipeg.pdfIn PDF document text
    • https://kebakiwaranug.weebly.com/uploads/1/3/4/3/134317860/f2b60e8251.pdfIn PDF document text
    • https://roresino.weebly.com/uploads/1/3/4/3/134364893/mabuwunapofofiga.pdfIn PDF document text
    • https://rewodudifizaba.weebly.com/uploads/1/3/4/4/134475466/bazutidiselukop.pdfIn PDF document text
    • https://fuxugikitoze.weebly.com/uploads/1/3/1/0/131070560/nufemar_rorejik_xegadu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417817/normal_5fcafd84890a0.pdfIn PDF document text
    • https://tivofemexire.weebly.com/uploads/1/3/4/0/134012880/jumofirexit_lepofo_dawakubup.pdfIn PDF document text
    • https://gisototiv.weebly.com/uploads/1/3/4/7/134704666/ragivifesiwa.pdfIn PDF document text
    • https://zujanotoze.weebly.com/uploads/1/3/4/4/134476942/dizavox.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379485/normal_6060395311118.pdfIn PDF document text
    • https://sawifumoz.weebly.com/uploads/1/3/1/3/131380604/4503737.pdfIn PDF document text
    • https://nolegajaji.weebly.com/uploads/1/3/4/5/134519786/wusuvedu.pdfIn PDF document text
    • https://xinorexuvon.weebly.com/uploads/1/3/4/6/134608307/2942556.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4491432/normal_6056822768cd1.pdfIn PDF document text
    • https://zugozoriv.weebly.com/uploads/1/3/4/7/134770463/37648b9.pdfIn PDF document text
    • https://jenifamizoj.weebly.com/uploads/1/3/5/3/135319667/4874237.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368218/normal_602174d082b21.pdfIn PDF document text
    • https://febumade.weebly.com/uploads/1/3/4/7/134757335/4959051.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4477655/normal_5ffaefa12f931.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495399/normal_5fec907c4672b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c0b45d2-fd46-41cf-a47f-400c654161c8/1-99_crafting_guide_rs3_ironman.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64c77ac8-5458-4cc0-a2b5-5d9b9bade2f6/dashcam_viewer_3.1.2_registration_code.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/310542f8-c224-41d1-afd1-f0e094032e57/libro_de_historia_4_grado_contestado_pagina_80.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/826f21f9-944b-4dad-b597-2a1d21307b59/clock_templates_printable.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7da0ead-ffc6-4af8-a145-14d8f97a19ed/ruger_p95_holster.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010946.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10946 5308 bytes
SHA-256: cf71d05956fbc6dd2658c7a22bb993bbdfdf26316eba84ae1ea6d6397a5ecffc
font_01_sfnt_off00011b5a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B5A 10868 bytes
SHA-256: 5c38ad16d0f38f3a7bd3d02954ecf8b7f9aae4214bf65c23095e5027470110b0

Open this report in the interactive analyzer, or submit your own file for analysis.