Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e9529c4473e86a0…

MALICIOUS

PDF

73.9 KB Created: 2021-03-28 05:01:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b35d295fb21ed6d218c4b392145f3395 SHA-1: 7d434fdd55d78f73d6710e188a76dc9638b49482 SHA-256: 4e9529c4473e86a07369641b18cec2a173663ff7f7efe9ec2ae61ae524dd1ed6
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many pointing to domains that appear to be part of a link farm or disposable hosting. Heuristics indicate a 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM', suggesting a non-benign purpose related to SEO manipulation or content distribution. ClamAV also detected it as 'Pdf.Phishing.Trojan'. The primary attack pattern involves luring users to external, potentially malicious, content via a large number of embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=link+belt+cranes+specs
    • http://form-lnstagramverifiedbadges.com/pejijemh350v.pdf
    • http://mofemaruwek.sportsontheweb.net/57917464605.pdf
    • https://cdn.sqhk.co/zefafulolit/la6jbhc/battlebots_push_strike_nightmare.pdf
    • http://nebo-baikala.ru/zuritebafefy7ev8.pdf
    • https://jitebogegamoma.weebly.com/uploads/1/3/4/7/134761197/36618.pdf
    • http://banquepopulaire-fr.org/vufiduxedbo4o.pdf
    • https://sakotitalivuvu.weebly.com/uploads/1/3/4/8/134887700/7077333.pdf
    • http://rejamar.sportsontheweb.net/lopurodokinerewefatateji.pdf
    • https://xidelesa.weebly.com/uploads/1/3/4/4/134498911/pejilawijipapemete.pdf
    • https://pobejatu.weebly.com/uploads/1/3/2/7/132741278/d6ac0c.pdf
    • https://gevexivojuler.weebly.com/uploads/1/3/4/4/134444242/d26399664b0e69e.pdf
    • https://cdn.sqhk.co/fexilejedit/eV9ibjf/wall_basket_storage_uk.pdf
    • https://vefoduwuwi.weebly.com/uploads/1/3/4/9/134902927/8750737.pdf
    • http://plsale.pro/65303336593nq9u1.pdf
    • https://puwoposujol.weebly.com/uploads/1/3/0/9/130969317/9cdf979d1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://13adc596-845f-4f4a-b539-e2c04a0a4b5a.filesusr.com/ugd/6e2da7_f2191765cde24d2297df00489fd3b7d4.pdf?index=true
    • https://09d7e2b9-79a3-4876-9e00-73a1ba4263a4.filesusr.com/ugd/92fcd7_a91b4721edff47009a465b2899fbd96a.pdf?index=true
    • https://ba739632-11db-41f7-a023-683a20e55d36.filesusr.com/ugd/99835b_13eee8b9f9ad48928c2f554fc4eb6708.pdf?index=true
    • https://d4508431-0eee-4913-ac2a-2ec907ed9b18.filesusr.com/ugd/12daa7_5a6254e569a04c9dbf8390087f32dc77.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf56.bin
d251db393bf39a49701a8cb4ad9e9f25fc9073f521e2eb6b6b766dadec8690d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF56 5072 bytes
font_01_sfnt_off0000e0a8.bin
42df49a82783616605140806d68b41512245bca2023f1011f4dd60073d909c73		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0A8 10508 bytes
font_02_sfnt_off000104e3.bin
99ddc6f5858eb134f8024171ebe717cbd02485c31471b921a5021903b5272953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104E3 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.