Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ce4b889ed79182a…

MALICIOUS

PDF

69.5 KB Created: 2021-05-15 22:36:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: be9a1e6e742a92be3139ebc270dbb99b SHA-1: 7902677a47fc339eeead0caddc36083aa9c7f13b SHA-256: 4ce4b889ed79182af18f4f67a62b3136694f0c68fa942fdf29df3f6c878cebfa
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a significant number of external links, identified as a link farm, with many pointing to disposable hosting. This suggests an attempt to manipulate search engine results or redirect users to potentially malicious sites. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and ML classification further supports its malicious nature. While no scripts were directly extracted, the PDF structure and external link farm behavior are indicative of a phishing or content distribution attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+to+connect+midi+to+usb PDF link annotation
    • http://bahis-sikayet.com/babysitter_apk_latestkulhw.pdfIn PDF document text
    • https://cdn.sqhk.co/tatidukigag/hf4ghjt/20520953969.pdfIn PDF document text
    • https://cdn.sqhk.co/vumuwuxa/jjgpQbV/sports_bikes_wallpapers_for_desktop.pdfIn PDF document text
    • http://akfb.online/zijobatoveferefobonigugcq5t.pdfIn PDF document text
    • https://cdn.sqhk.co/jaxaletadi/DiiCr4g/paripujejegomavadotekene.pdfIn PDF document text
    • https://lopiranurepo.weebly.com/uploads/1/3/4/7/134735856/tifokepuzagejubunate.pdfIn PDF document text
    • http://esagafow.fun/sonufosagw0sw9.pdfIn PDF document text
    • https://niraxonaweza.weebly.com/uploads/1/3/4/0/134000156/7570626.pdfIn PDF document text
    • https://cdn.sqhk.co/banamasuvaj/dr4PifY/87678853973.pdfIn PDF document text
    • https://wusafasugulub.weebly.com/uploads/1/3/4/5/134586051/kepudutej.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9afb76e-57e7-48bd-acfd-92b7a26c7f68/63759887559.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9eba396-6d5c-4492-9c5d-765815fa9bb7/95909783710.pdfIn PDF document text
    • https://d4180a97-8dd0-4bf1-9e2f-d1b128d1a64d.filesusr.com/ugd/ae059d_618b7f2b3bf2464cb0443d989be997c7.pdf?index=trueIn PDF document text
    • https://78e27e65-9996-4239-a63d-7a21722db537.filesusr.com/ugd/03f576_9bcaac35bdab4a9b9cab5b0751cd5112.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/19f3abb3-5c63-4a31-aadb-e085041cf41c/what_is_the_setting_of_orpheus_and_eurydice.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4db1e9ad-cfb0-4a8e-94aa-9acbbeb91b67/fl_studio_vs_ableton_cpu_usage.pdfIn PDF document text
    • https://d3dd75b0-514a-4dbf-a1f7-973a5b421fb1.filesusr.com/ugd/5b46ec_4a6191d4ca284c8abf8bb03435574e9c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/453f807e-bb07-4831-a719-9296f03b2418/88657788012.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d645.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD645 4940 bytes
SHA-256: d88872fd1a9a420449408b58bd44795145f3c9199caf751e26c68693f53eacb1
font_01_sfnt_off0000e711.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE711 9752 bytes
SHA-256: a06a973167f3e1705a9a8cea9a34b9580e34be9d3a6bf1dac5c58c21a75e32d9

Open this report in the interactive analyzer, or submit your own file for analysis.