Malicious PDF — malware analysis report

Static analysis result for SHA-256 50647460eafe8a89…

MALICIOUS

PDF

94.0 KB Created: 2021-05-24 03:03:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 96aee57934733e6ccdca034d41d3a2ed SHA-1: 122e29c4a4367b0013b5792481c048e784cd9d41 SHA-256: 50647460eafe8a894b2fb2bc3fb93e14c1295ac50b7743c5f17a73954fc42021
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious redirector links and a link farm, suggesting a phishing or scam attempt. The primary malicious URL identified is a redirector designed to lure users with the promise of a free font download. While no scripts were directly extracted, the PDF structure and embedded links strongly suggest an attempt to lead the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=myriad+bold+font+free+download In PDF document text
    • https://cdn-cms.f-static.net/uploads/4450883/normal_602174a664183.pdfIn PDF document text
    • https://mibinataxufix.weebly.com/uploads/1/3/1/4/131438539/b980a698f723ee0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410194/normal_60638dae63449.pdfIn PDF document text
    • https://sibujoxosuzeru.weebly.com/uploads/1/3/4/4/134499285/ruriwabovixerig.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4488580/normal_5ff5d64c30f73.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c166c1e8-ed95-461d-930c-c0c3332bbcca/21672375263.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f29a820b-f1eb-4ab9-85b1-23bedb698c0d/the_importance_of_being_earnest_movie_2002_youtube.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34a30111-dff7-486a-abc5-1b761ad6e7ab/norufimigezuta.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7dbad18d-560c-4c57-9e90-b809fbf2d93e/18316394460.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c9e9c94-a7f4-4e0c-a1b0-2da0ead2cad0/vedic_astrology_birth_chart_cafe_astrology.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e826cd98-8c21-41a4-9baa-f7a80beb4e59/62882748965.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62023d60-2f90-4a72-a226-bd0b1b6e8418/39781718382.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78821d67-c279-4a63-8b2d-e3dc9c54c381/alita_battle_angel_2_full_movie_2019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91ae5561-326e-4368-94ee-922b300215b2/the_cat_in_the_hat_knows_a_lot_about_that_full_episodes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/223d2079-d6ca-4ccb-9c5a-00fcf30b1130/22590354911.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7e94935-5be8-4a85-bf53-2819a86a55d5/thermador_oven_repair_orange_county.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8073fd59-299a-47eb-b86e-2329c05717fe/85163315469.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f1ec1a4-3dae-481c-95a7-748750e12cb1/toro_power_curve_1800_electric_power_shovel_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b8d9ea7-7c15-4027-8740-ca2137a58289/78511635328.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aaca354d-ed73-4f96-a844-a78fe3ed64fc/dajiwobi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48da428a-286c-4511-8453-1c763d0ba60e/mijowavex.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46fe399a-51cd-49e0-a18e-c8b743e706d1/what_is_the_price_of_s9_plus_in_pakistan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78508f6a-e82f-42ac-ad2f-af70e8c8b1c3/bivuxawokor.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000136de.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x136DE 17036 bytes
SHA-256: 91aa74a727b440869a9f328b7f307c8928bed3fef1a52614e5c58c69597e465d
font_00_sfnt_off0000ff90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF90 5064 bytes
SHA-256: e37a8f8e2df03f623e2cff1096f9f44045a98d7df18a960e2cec74136284c989
font_01_sfnt_off000110f8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110F8 11040 bytes
SHA-256: db0929b055661e2f3090f3892f019beb755a31125cddc289a7b81d0a64b5dc6f