Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d1524f85dc2c9bb…

MALICIOUS

PDF

65.3 KB Created: 2021-06-09 18:37:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: b484c94b821e60beb83a646919588c6f SHA-1: c136d096b696fcb83bc5bb6282a34bfa34aad0be SHA-256: 4d1524f85dc2c9bb8141043611a04f5063e94198a67b1525ea88ce2e8209819d
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as a phishing trojan and by an ML classifier. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. One of the extracted URLs, https://chcial.ru/pbw?utm_term=sun+tv+nandini+serial+song+download, is likely part of the malicious infrastructure. No scripts were extracted, but the PDF structure and link farm indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6227

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=sun+tv+nandini+serial+song+download PDF link annotation
    • https://rikodobuged.weebly.com/uploads/1/3/1/6/131606346/6a6f9de2.pdfIn PDF document text
    • https://biwezufum.weebly.com/uploads/1/3/4/8/134872286/8752748.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411219/normal_60509210815cc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383156/normal_6028fe9752e65.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386618/normal_6065274371621.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4370286/normal_5fcc3ee36bc13.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501201/normal_601183de2ce2f.pdfIn PDF document text
    • https://voxuvuru.weebly.com/uploads/1/3/5/3/135390020/21bdd612fdb4b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8e63ccb-fb6e-4872-ba79-b409257e02e6/fisher_price_my_little_lamb_platinum_2_cradle_n_swing.pdfIn PDF document text
    • http://lakebimutep.pbworks.com/f/najarokovutoberipus.pdfIn PDF document text
    • http://tekitejug.pbworks.com/w/file/fetch/144613026/descargar_diccionario_de_trminos_mdicos_gratis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7441c6eb-4d75-4104-bf6b-ed33c68816e9/mizuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e530db1e-ad31-478b-8fab-8fe99d26b000/60743044699.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3bb9f291-659d-4ca0-b5fe-5e757644e010/super_mario_3d_all_stars_super_mario_galaxy_luigi.pdfIn PDF document text
    • http://vevokofeju.pbworks.com/f/10_oraciones_simples_y_5_compuestas.pdfIn PDF document text
    • http://dijakezepo.pbworks.com/w/file/fetch/144869607/sustainability_reports_guidelines_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fa23258-d3a1-4327-ab9a-868693ece50d/why_do_my_legs_hurt_at_night_teenager.pdfIn PDF document text
    • http://dobifapig.pbworks.com/w/file/fetch/144465627/36859721600.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3b46701e-a454-49a9-a8ac-a786a0c78d42/are_teeter_hang_ups_good_for_you.pdfIn PDF document text
    • http://nimogomaw.pbworks.com/w/file/fetch/144969135/gta_vice_city_new_graphics_ultra_mod.pdfIn PDF document text
    • http://giwupiraride.pbworks.com/f/first_20_elements_of_the_periodic_table_with_atomic_number_and_mass.pdfIn PDF document text
    • http://bekojifutok.pbworks.com/w/file/fetch/144739275/how_do_you_use_the_expectancy_theory_of_motivation_in_the_workplace.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a79858e8-9d99-4be5-a194-5470a14a572d/how_do_i_connect_my_logitech_keyboard_to_my_macbook_pro.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0DC 5248 bytes
SHA-256: 58f5a01e62be6e17a2be3b11dcce4792f3ed3638a34b239a456fdce6b9535c15
font_01_sfnt_off0000f2cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2CF 5448 bytes
SHA-256: 631dec9d2e03e9a4bddac43438209c35d0bddc78cd6cc8a9ad3a6e3b4110985b