Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f7138cc41d6a740…

MALICIOUS

PDF

83.2 KB Created: 2021-04-22 12:02:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: d4dbdb2253934a5ee4ad0436d852db52 SHA-1: 7c3a951c021d5573ed536916d01af1393b79ead7 SHA-256: 4f7138cc41d6a7400c6e47baa4075cfd5d7413c3495b7bb8024a1f35af38ae7e
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with one specifically pointing to a domain associated with malicious activity and a query parameter suggesting a lure related to printer issues. The ML classifier strongly flagged this PDF as malicious, and the heuristic analysis identified it as a link farm on disposable hosting, indicating a phishing or redirection attempt. No scripts were extracted, but the presence of multiple external links suggests the primary goal is to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=hp+8600+printer+keeps+going+offline PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4385852/normal_5ff65cbb59681.pdfIn PDF document text
    • http://discovljzg.fun/silent_hunter_3_keyboard_commandsjmdbq.pdfIn PDF document text
    • http://musc-media.xyz/mercury_25_hp_2_stroke_specificationsl2997.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368772/normal_6022aff23951e.pdfIn PDF document text
    • http://seamanygau.best/20452558183k2dqn.pdfIn PDF document text
    • http://sk-anker.ru/pukutafikudubomuvil8vukg.pdfIn PDF document text
    • https://cdn.sqhk.co/nunexijezep/blhd91P/49102779597.pdfIn PDF document text
    • https://cdn.sqhk.co/denalivek/g8yicVl/word_search_inspiration_app.pdfIn PDF document text
    • http://devgame.design/how_to_pair_ps4_gold_headset_with_iphonelt4wv.pdfIn PDF document text
    • https://cdn.sqhk.co/xidafigutoxa/IBEvCib/91058150355.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/votawawo/birthday_card_template_google_docs.pdfIn PDF document text
    • https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_00a81935bbe84b8e8772255b7c91dde3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bifadiwuwileji/25951800783.pdfIn PDF document text
    • https://s3.amazonaws.com/dopugaxelelema/julolubutalovokipenokafax.pdfIn PDF document text
    • https://3491c55f-27e3-40bb-839b-e55f5d2a6f06.filesusr.com/ugd/d14465_fc0c3d8ebbd44cfaac03f821fabea28d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/aca27e6b-5fa5-4fe3-bf3c-c4379632d7f9/liwovo.pdfIn PDF document text
    • https://3c8197b3-f999-4f29-b3da-fbdfea3dbf34.filesusr.com/ugd/0047a4_99b76d1c07f845df8bd8afeaee401a16.pdf?index=trueIn PDF document text
    • https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_bc112e0d2d864e538ac8af3aea33a8bd.pdf?index=trueIn PDF document text
    • https://d4f4546a-a836-4b3d-8651-c56b89608eca.filesusr.com/ugd/3e9e83_75fe046b048a4b43b3a390fea549bc0c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/69715802-ad2c-458b-b963-dbee013e7f4a/junajuritapobupovasoxuv.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010829.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10829 5376 bytes
SHA-256: 1d869d549d2b5f7545d115d48612385d74194caa1e349acf912ed26fa6f1e8b6
font_01_sfnt_off00011a8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A8D 10892 bytes
SHA-256: 45ef8dcee71d7c391f5876bb8f6b4789fdf02e3ce3968789f4fae9e03a20e9c2

Open this report in the interactive analyzer, or submit your own file for analysis.