Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d2e0df421b00ebd…

MALICIOUS

PDF

81.6 KB Created: 2021-03-19 08:11:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf1710a86a282b1818e574e9afe7c6d1 SHA-1: ddabaedfdeff27fe75fbcfb5bc88cdc7b3f6c5e4 SHA-256: 4d2e0df421b00ebd49b65e76b6b06644f08a506a1e0b09f4e0439aa9935e2b5b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified as a link farm hosted on disposable domains. ClamAV detected this file as 'Pdf.Phishing.Trojan', and an ML classifier assigned a high probability of maliciousness. The primary purpose appears to be directing users to potentially malicious content hosted externally.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=cover+letter+template+docx
    • https://xaxarudo.weebly.com/uploads/1/3/0/7/130740130/9434882.pdf
    • http://xofenejilomoz.iblogger.org/dodiba.pdf
    • http://introdom.ru/trex_handrail_installation_guidegpudb.pdf
    • https://cdn-cms.f-static.net/uploads/4465402/normal_601c8d836e19a.pdf
    • http://ru-dev.xyz/83517609003z4yum.pdf
    • http://usesucre.pro/death_in_paradise_theme_song_sheet_musicpigro.pdf
    • http://appless.space/free_printable_second_grade_math_worksheetsobm01.pdf
    • https://pepomujotopulog.weebly.com/uploads/1/3/4/8/134873529/zalojukizita_rewunusi.pdf
    • https://cdn-cms.f-static.net/uploads/4483851/normal_5fd3cdaf0fc34.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e8dc5420-792a-4861-90db-09cfc8d8a7d1.filesusr.com/ugd/1378f5_f023f5573b384475a54f03814dff35b6.pdf?index=true
    • https://47e244ab-6b1f-4ae7-97e8-86de5b619f9f.filesusr.com/ugd/e1d12c_df1dddcd0ce64bc3a22eb4346033af2d.pdf?index=true
    • https://3175e58c-9db9-4d87-bcb9-15e03531d93d.filesusr.com/ugd/c93210_d40d39305c324e1bad79c55d6f1f7b6a.pdf?index=true
    • https://a43ab9c2-5efb-4cee-ac06-b782a0f5e207.filesusr.com/ugd/4826f5_d9707ae176c94bc3875abbe465f39192.pdf?index=true
    • https://df1882fa-13c5-42f1-8438-577935b594b9.filesusr.com/ugd/91932b_0470f73587604e0e9472d277b169b0fb.pdf?index=true
    • https://4993f9ff-345c-4c03-a8ec-d4f8dac664d6.filesusr.com/ugd/debbe1_09d00dbce8fb4d32a3f112b7644823b3.pdf?index=true
    • http://tuduresoxafu.epizy.com/11989973246.pdf
    • https://56db2a4d-09ce-4ff6-a558-abb1d6727cd4.filesusr.com/ugd/003b86_82faf1db83b94942913c7bcf7f63ca20.pdf?index=true
    • https://fdb0147f-387d-4908-9c93-1ccdb5bf775f.filesusr.com/ugd/aea2e0_4ed530febdc34fa89fe840441c8263ec.pdf?index=true
    • https://ab2ac9d4-4772-4872-829d-c19fde0a4f90.filesusr.com/ugd/b919b3_037e9895bdea4cbfa918cb298622e174.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001006e.bin
d7cf345c56bb12deb602be89afabd35753385eca4a202e4b7622a3741389ab89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1006E 5076 bytes
font_01_sfnt_off0001119a.bin
625bdfa90dce1938d402a855c3b59ba849b009f8432c71e4745fed1b67881e3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1119A 11212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.