Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f8f91311904e4df…

MALICIOUS

PDF

101.3 KB Created: 2021-03-22 18:12:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: dca13d93e3e9b2bec173752c5d7cb4d7 SHA-1: 489366af2e9c77d765be56ba2df9770a5eb9db68 SHA-256: 4f8f91311904e4df560340f98dc7e7a6a80d14416f6fc7bffb34bf64bd4bbab5
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable domains, and is flagged by ML classifiers and ClamAV as malicious. The embedded content, though heavily obfuscated, suggests a lure related to a 'Minecraft enchanting table language converter' which redirects to a suspicious URL. This indicates a phishing or scam attempt designed to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9206

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=minecraft+enchanting+table+language+converter PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4370778/normal_5fcd95eb56459.pdfIn PDF document text
    • http://worldthailand.fun/vakefifupx4gt2.pdfIn PDF document text
    • http://marketeuro.pro/strange_city_names_in_arizonar2lb9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368501/normal_5fe3c2b2df35b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377717/normal_60402ee293b8c.pdfIn PDF document text
    • http://rakuropa.iblogger.org/free_water_brushes_for_photoshop_cs6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412403/normal_601f1dae9d3b4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424951/normal_601832a80fad4.pdfIn PDF document text
    • http://duwunil.22web.org/how_to_connect_canon_mg3022_printer_to_wireless_network.pdfIn PDF document text
    • http://meetlait.pro/655900672165j6kx.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4457573/normal_5ffcd931a970c.pdfIn PDF document text
    • http://wotidoteked.mywebcommunity.org/cestodos_veterinaria.pdfIn PDF document text
    • http://zufefusu.iblogger.org/32181151518.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424364/normal_60367d3f86b84.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4378390/normal_5fcd6e3745194.pdfIn PDF document text
    • http://eglo.club/6024741130479kbd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d944a43-b650-465f-abe9-f641b791bb25/mibevegaritekew.pdfIn PDF document text
    • http://ziwebizivag.epizy.com/56028749806.pdfIn PDF document text
    • http://befojarariwowab.epizy.com/ultimo_aggiornamento_whatsapp_android_2018.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf86d9b7-63f1-4097-93c3-5ea555ed46e2/jaboxoxuworip.pdfIn PDF document text
    • http://radiviwix.onlinewebshop.net/peterbilt_mechanical_engineer_salary.pdfIn PDF document text
    • http://namakanexir.atwebpages.com/what_oil_for_4.7_dodge.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61a8bb40-5f37-4b58-8f37-8bbe9149704b/ponikevukepa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dfac34e6-344a-4f7a-90ac-d1f39f41f2ea/foscam_fi9900p_firmware.pdfIn PDF document text
    • http://pujumek.myartsonline.com/how_to_set_the_analog_time_on_a_g_shock_5146.pdfIn PDF document text
    • http://nowageg.onlinewebshop.net/vowosirax.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f164.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF164 6464 bytes
SHA-256: 7e688e3631080a70149b57895c5ce5332f8ce56bb9517f036ad8be4533525dd6
font_01_sfnt_off00010127.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10127 3468 bytes
SHA-256: 2afd59ed218f777222ab78ded134e48f05ab3a757bee84eec4220d4377b14b59
font_02_sfnt_off00010da1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DA1 5168 bytes
SHA-256: c1dbe4fb6749b201e8460d01e4427fa8b0c1beead1dce513156cee234d6ddc50
font_03_sfnt_off00011f10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F10 6316 bytes
SHA-256: 0a698ffebdb84d2520120c508a029a7e65a65c7003e5734180f378e5612717d1
font_04_sfnt_off00012e6b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E6B 1796 bytes
SHA-256: dfab3945eace5ba27be1ad95d63d5142397767eab6bca27773794b33bda2302c
font_05_sfnt_off000136f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x136F5 11108 bytes
SHA-256: 62e82707aaffcb80c8a57047925b0e6ee8f60dca96221ed9afdedbe9bb3a9aac
font_06_sfnt_off00015cc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15CC7 16540 bytes
SHA-256: 979833a5082700a05166eb7c5f079aa9d240cff169c02e76c4d4d39eb9e91cc5
font_07_sfnt_off00017385.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17385 6120 bytes
SHA-256: 9d8a6b9b603f76cbfcb8d8739d0b4c3adc431c78c012d0281bcde876f0aa8049

Open this report in the interactive analyzer, or submit your own file for analysis.