Malicious PDF — malware analysis report

Static analysis result for SHA-256 57a7a0400d1ef7aa…

MALICIOUS

PDF

111.4 KB Created: 2021-03-25 06:50:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: faafe0ca720a64f8e7af64259f366fcb SHA-1: 66a4767c82237daae75ea618cdc7c232649e4492 SHA-256: 57a7a0400d1ef7aafb909e02c14b8c7617b67f2fe986018f8c339f03875178d5
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier. It functions as a link farm, containing numerous embedded URLs that redirect to potentially harmful external sites, including a known malicious redirector. The primary malicious URL identified is https://crophysi.ru/wix?keyword=farberware+3.2+quart+digital+air+fryer+manual.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/wix?keyword=farberware+3.2+quart+digital+air+fryer+manual In PDF document text
    • https://cdn.sqhk.co/wimiwupo/fjg9Cjo/tejotevezobuter.pdfIn PDF document text
    • https://cdn.sqhk.co/zogameva/dYhadhf/fidget_spinner_toy_accident.pdfIn PDF document text
    • http://puviwaxeraw.22web.org/84696753665.pdfIn PDF document text
    • https://cdn.sqhk.co/zepipawetopi/hcgcvYu/truck_simulator_usa_hackeado_2020.pdfIn PDF document text
    • https://cdn.sqhk.co/nozedimasav/lijjcD5/rally_car_crash_compilation_video.pdfIn PDF document text
    • https://cdn.sqhk.co/kakapoxavu/Ojfe2ib/balloon_dog_toy_reviews.pdfIn PDF document text
    • http://xiwotafajiloluf.22web.org/99422255966.pdfIn PDF document text
    • https://cdn.sqhk.co/nedovipirumu/jhQ8njb/temple_run_game_2_3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.orgThisIn PDF document text
    • https://832c8a8d-f05d-46e3-9166-97d9de82ace4.filesusr.com/ugd/432509_8b775e3a2f364ff6a1b4eae3388c877e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a1e7826-4986-4194-840d-ec54069c62fd/98231317304.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9bb962b5-975f-4c4e-9241-5a22c58d6f90/rofiputob.pdfIn PDF document text
    • https://64e18f06-8a0e-4dc1-8427-9dd81b4bff36.filesusr.com/ugd/baa514_9c28c60f934f4e189942e124ae8e5fc4.pdf?index=trueIn PDF document text
    • https://e0ff2378-281a-4ea3-95ae-419c526fdc99.filesusr.com/ugd/0baf77_69b77c00f04a4432a3e808c421c62f87.pdf?index=trueIn PDF document text
    • https://e42ce0b3-f376-4cb5-9abe-507fdbb9570c.filesusr.com/ugd/603474_9e3e12f2a0554668a042095cb9e18625.pdf?index=trueIn PDF document text
    • https://893c8be9-d140-4a04-8a3e-66bd54b472cd.filesusr.com/ugd/efd7ea_98619141edf34afe8632def29bb67f3f.pdf?index=trueIn PDF document text
    • https://f4dd034e-00c7-465c-b850-fb2d75accad5.filesusr.com/ugd/769f78_6f6e00ff9c9b4b2b805704081a956552.pdf?index=trueIn PDF document text
    • https://6674166f-eb58-46b1-9d38-a528bc95e02c.filesusr.com/ugd/e38d8e_f1d52c831abf4182837f1873ed878214.pdf?index=trueIn PDF document text
    • https://83d7d1d1-3661-4158-a2cc-78aa4aa39d08.filesusr.com/ugd/163759_5cb3f041609441dba2af76b1964fea6e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/96812844-3b71-4eba-a902-416ff74465e0/pebble_smartwatch_battery_replacement.pdfIn PDF document text
    • https://35b1a599-9f45-4897-82ce-59a931fc5495.filesusr.com/ugd/daca0d_6c1d9aa081ad42a7bdccbf1f1ca23a6a.pdf?index=trueIn PDF document text
    • https://05efeaee-ea5b-4dc8-bddc-a5098cc0dcbd.filesusr.com/ugd/c06c30_8fec829ff754465ba55b21e14b902de7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/39ab4c9e-325c-496d-934c-ee8bd111e718/what_is_landscape_photography_definition.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.org/In PDF document text
    • http://scripts.sil.org/OFLAbyssinicaIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE94 6796 bytes
SHA-256: c3c5a800f93ab88c866ce25aab85ca89f1cf4c197319f1b1588a3607d9104955
font_01_sfnt_off00010f78.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F78 5444 bytes
SHA-256: e1ea35e61e1c5c58450675e73c0e9e320b1d6a565ecd4bc9c8e3637d8ec507ef
font_02_sfnt_off00012223.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12223 5792 bytes
SHA-256: 5d2078402c22892810aefafb63944c31783d6c017b9278d85055ea2ac7af8ff8
font_03_sfnt_off000135e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135E2 20952 bytes
SHA-256: 31c9189b02643b1f86ee8b2c8996e4152ed68ef9d17a74cae5a23ab93c0df31b
font_04_sfnt_off00015605.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15605 15000 bytes
SHA-256: 50cbc942cf0ee9be293ff04af1fd653a6298a34cda4a890313a364a9539541d1
font_05_sfnt_off00018728.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18728 16788 bytes
SHA-256: b2e5ca0f83b63698f73fdd2631cd3cadcac351cf910cabac214b71ad300cd637
font_06_sfnt_off00019efe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19EFE 6108 bytes
SHA-256: 31cb5846bafd0ba01ee536c1fbbda6556ecf6149762088ada0284b513d19daf6