Malicious PDF — malware analysis report

Static analysis result for SHA-256 50421822143597cb…

MALICIOUS

PDF

112.0 KB Created: 2021-06-04 21:34:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 9be97b34562af3de293bae48308be74e SHA-1: 6a8ba5d21425b5a0bbe103422c9b415e76906234 SHA-256: 50421822143597cb74ab1b54a81599b7b0588812a4d7ba014161e8967521df6f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on disposable domains or used for SEO purposes, as indicated by the 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded URLs suggests an attempt to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/pbw?utm_term=hydraulic+flow+diagram+of+sewage+treatment+plant PDF link annotation
    • https://xinujulajupi.weebly.com/uploads/1/3/4/3/134321003/wujokikup.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377114/normal_60120fdec83ee.pdfIn PDF document text
    • https://xemedibapasuv.weebly.com/uploads/1/3/2/6/132695509/1230107.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368772/normal_6054aac196b16.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4473619/normal_5ffea15d913ee.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488555/normal_6064b619b0846.pdfIn PDF document text
    • https://xusofudubivo.weebly.com/uploads/1/3/0/7/130775679/e4437e1ad.pdfIn PDF document text
    • https://bopuxokefira.weebly.com/uploads/1/3/5/3/135300507/rifis_supebakanurax.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4502920/normal_60275f85c7c9c.pdfIn PDF document text
    • https://zubosevofugojat.weebly.com/uploads/1/3/4/3/134307347/4667742.pdfIn PDF document text
    • https://lodoxaravejow.weebly.com/uploads/1/3/4/7/134719504/6a6bf.pdfIn PDF document text
    • https://tapogizixe.weebly.com/uploads/1/3/4/8/134897788/7860785.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470981/normal_600c6fdda9575.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/81cda129-c3cb-41f3-b194-12943f45e332/rbol_es_aguda_llana_o_esdrjula.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a43eb8d-bb78-484b-b504-5af9a66fbbd3/bejozelejifimu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/418a24c8-e954-42c6-b7b2-505226dd9912/bakshi_power_electronics_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67f939e1-6740-4f8f-9717-c5ca385e0916/70847943720.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f412af7-eceb-4faf-80dc-50fcd36033a7/35431235376.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/04322acb-8bf0-46cf-bf49-768c971a5698/how_to_use_a_ti-30xa_for_logarithms.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da8fc5f3-4a88-44ce-acaa-78fc8b5d69b9/bizawajudagoferarug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3cced26b-10b9-4666-8078-9317c97ae7e6/black_and_decker_quick_and_easy_food_processor_fp1450_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96320345-f603-41f4-bccb-5b9103d8718a/educational_psychology_doctorate_entry_requirements.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eff1737b-ec11-46f9-acbb-94590f854092/87238518460.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017901.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17901 5632 bytes
SHA-256: b320d1972b1b2f4bd7eccc105cfb05e24630e90d3f7a416db90096fa8c183125
font_01_sfnt_off00018c32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18C32 11328 bytes
SHA-256: 86c7a811cdf8ee563862445a9d4d56666143ed1af39c18ad74e0e6487e37b979