Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bbc2302a0313b31…

MALICIOUS

PDF

77.7 KB Created: 2021-04-01 07:36:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 21847c66b242e918ec13b5a189ecbdf6 SHA-1: b0377ab4a57c7822526cde733713d1d30ae68907 SHA-256: 4bbc2302a0313b310b5d90b6e0f188ab0a87c6fc02053fb3857b5c2e6e997883
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many hosted on disposable domains, indicative of a link farm or SEO spamming operation. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically identified as a phishing trojan. The embedded URLs, such as 'http://romotogez.22web.org/video_converter_for_android_2._3._5.pdf', are likely used to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=chandamama+old+stories+in+telugu PDF link annotation
    • http://romotogez.22web.org/video_converter_for_android_2._3._5.pdfIn PDF document text
    • http://natomazadikomiz.iblogger.org/what_life_will_be_in_2050_essay.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/zuses/upsc_2016_answer_key_insights.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2513c044-0c3e-45b9-927d-1996f5d85424/icd_10_code_for_septic_shock_due_to_covid_19.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67702642-b7f0-42a7-af8a-39e514a64eac/requirements_to_get_a_ms_drivers_license.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0cc51b0f-e93e-4a30-afa8-bcea6e4637a8/how_long_does_enameled_cast_iron_last.pdfIn PDF document text
    • https://s3.amazonaws.com/lolaritemukole/shadow_running_gif.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9eec5ad4-61de-4ac9-b705-4b0c2b90578d/23828815389.pdfIn PDF document text
    • https://s3.amazonaws.com/zijivevip/xesitikud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f538b2da-f922-47b9-8501-1c888b7067e0/fafetonoxofuxuz.pdfIn PDF document text
    • https://1c54689f-8f60-44d8-8d81-b144d6ea8ada.filesusr.com/ugd/787b0a_98796491b53f4a819e8652c3ce218b90.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6c222e4-f1ce-49db-89d8-cac196efa6aa/8984581179.pdfIn PDF document text
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_e1209992a55c46a6bb18aed31cbf1be6.pdf?index=trueIn PDF document text
    • https://276658a2-c6b1-4a23-bc3b-56c82bce4278.filesusr.com/ugd/f9448a_950b5d2ba012459a9563b3c633d8872b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0abe5595-2ab7-4132-bdc7-b25e7b38e718/zotomod.pdfIn PDF document text
    • https://s3.amazonaws.com/fapaga/frases_de_cien_aos_de_soledad.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf77af8e-5000-4b1e-b637-12108ff4de76/best_skyrim_load_order_2020.pdfIn PDF document text
    • http://kubuxakul.epizy.com/apache_ignite_performance_tuning.pdfIn PDF document text
    • http://nuxumejaxumem.epizy.com/nubafinabemutuduzotojemot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d3d9f7c-9a30-4021-8d29-7408627204d9/mona_lisa_overdrive_band.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25465e02-b3a0-40b6-b9b1-44c90e8e4c89/dewalt_drill_set_20v_max.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/70bfe19a-0734-4398-a6db-85274fbe716b/clicker_universal_remote_garage_door_opener.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a11aa8f-ed99-4c0d-8c5c-93030ab372ea/how_to_fall_into_rem_sleep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/875cefba-bd7b-4abe-937d-967e5becee26/how_to_unlock_alcatel_fierce_4_password.pdfIn PDF document text
    • http://vopisatewegom.rf.gd/12874527374.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f314.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF314 5144 bytes
SHA-256: 7b429d81762e0c2061ca7498a7b798e1c1bfc010516cc015a68ad0124f84ab83
font_01_sfnt_off0001045d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1045D 10992 bytes
SHA-256: 8d1df1f94dd7b5dda38c5d1b031d46c161a32409fcbe026ad6aefcbba42029e5