Malicious PDF — malware analysis report

Static analysis result for SHA-256 54ac8c1c2a891ce5…

MALICIOUS

PDF

86.5 KB Created: 2021-05-25 07:19:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 89ca5efb6fad94d6c222cee79ff02020 SHA-1: 17b4e886fa9d4fe8524acbc6544260e5f30f380b SHA-256: 54ac8c1c2a891ce50f164e722d93f35878b877585475872ed0558f92a39c2209
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=euro+truck+simulator+2+key+generator+download PDF link annotation
    • https://wodarobasuk.weebly.com/uploads/1/3/5/3/135300597/kuporir.pdfIn PDF document text
    • https://nagejezesalu.weebly.com/uploads/1/3/0/8/130874580/pofekamagevuwavewaf.pdfIn PDF document text
    • https://wirorovikematu.weebly.com/uploads/1/3/1/0/131071137/ruxisix-weran-newasifari-xipafotu.pdfIn PDF document text
    • https://tamoniwezetiro.weebly.com/uploads/1/3/5/9/135961995/8d74a9564.pdfIn PDF document text
    • https://resonorur.weebly.com/uploads/1/3/4/8/134874279/tifivepipodo.pdfIn PDF document text
    • https://simogewijak.weebly.com/uploads/1/3/4/6/134642120/8939394.pdfIn PDF document text
    • https://wukarogokemek.weebly.com/uploads/1/3/0/7/130739107/9668939.pdfIn PDF document text
    • https://kuxobemif.weebly.com/uploads/1/3/1/3/131379353/lobuxejun.pdfIn PDF document text
    • https://nevedaroxizewav.weebly.com/uploads/1/3/4/5/134592578/a11247d504f30fb.pdfIn PDF document text
    • https://memuvarava.weebly.com/uploads/1/3/1/3/131384606/951b77db.pdfIn PDF document text
    • https://satizivuzaked.weebly.com/uploads/1/3/4/3/134383512/2802253.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/13b4e721-f018-40e2-b3cf-e6dbb7133784/how_to_change_ink_cartridge_hp_deskjet_2541.pdfIn PDF document text
    • https://s3.amazonaws.com/sogovekevi/larousse_francais_anglais_apk_android.pdfIn PDF document text
    • https://s3.amazonaws.com/waxegatulo/vemuto.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a75a63f5-c549-4ef8-9105-2821627d5f1a/30517216741.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c0e02ca-f691-4c59-a703-86ce268219d7/escape_from_innsmouth_mansions_of_madness_ending.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2c8a310-c283-41c0-aeda-6b8d65db0925/vikagizugod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d86b7cf-14e8-4ef7-a67e-59526e28767f/35458419462.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ffcee0e0-58d7-4064-a9d7-f6501f40d6a3/mastering_the_grade_8_social_studies_teks_answer_key_chapter_7.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0b254fa-3655-4fee-bf69-7c88c1d8bd9f/97210088283.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17c6efd8-52ba-4de3-93a0-7967fd2bc839/57360496370.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d56d5650-1fef-4576-aa49-25bfaf1fd2c8/the_second_paragraph_of_the_declaration_of_independence_song.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55bae90c-a155-4d61-ae38-3ce67e9be72f/netgear_wndr3300_manual_espaol.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6E6 5608 bytes
SHA-256: 9290b53b4c0420035d7428572c59c3429017f82350ca54d070751fa7fb1ca3ad
font_01_sfnt_off00010a00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A00 11552 bytes
SHA-256: c415c4a2fdf9767ce54d7a2c3b3e1cafe75421c141a84d46d020f2c1b28f48ab
font_02_sfnt_off0001317a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1317A 17648 bytes
SHA-256: e61c85b5a46c1bd640c5559ee22b5b190f8d84ed9f59a1c1e15cb09ab73a2d5e