Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f9a30a53e7183e1…

MALICIOUS

PDF

186.5 KB Created: 2018-04-25 17:41:37 +03:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 17abad1043045a2192f70e5a313ce4fe SHA-1: 97364a6ba164ae69e216b646b5be01c19a94ba3b SHA-256: 5f9a30a53e7183e1eba5fd5e097313fbcdc31d37848ba4ab0144d6851379d3f1
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a malformed stream and numerous embedded URLs, indicating an attempt to redirect users to potentially malicious content. The ML classifier also flagged this PDF as malicious. The presence of multiple links on disposable hosting suggests a link farm or SEO poisoning tactic, likely to drive traffic to the primary malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9008

Heuristics 4

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://renimba.info/wp1?keyword=%D1%81%D0%BF%D0%B8%D1%88%D1%83+%D0%B3%D0%B4%D0%B7+%D0%BF%D0%BE+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC%D1%83+%D1%8F%D0%B7%D1%8B%D0%BA%D1%83+9+%D0%BA%D0%BB%D0%B0%D1%81%D1%81 PDF link annotation
    • http://wordpress.pirogi.ru/function.file-get-contentsIn PDF document text
    • http://doors31.coder.lv/gen2pdf.phpIn PDF document text
    • https://counfaipayrie1970.files.wordpress.com/2018/04/tuxosepiw-gdz-po-geometrii-7-klass-balaian-zadachi-na-gotovykh-chertezhakh-renafopesiva.pdfIn PDF document text
    • https://tiobanphera1975.files.wordpress.com/2018/04/tapojamewifuwev-skachat-need-for-speed-no-limits-na-android-besplatno-bez-virusov-vomexetekun.pdfIn PDF document text
    • https://laulupcofor1974.files.wordpress.com/2018/04/gubadezuxajuwu-gdz-po-algebre-dlia-7-klassa-alimov-vidobexonokigeb.pdfIn PDF document text
    • https://laulupcofor1974.files.wordpress.com/2018/04/doxanag-skachat-draivera-3d-dlia-windows-7-besplatno-luvupuwopekib.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5908/5908122_mujkaksdategepomatematikeprofilnyiuroven2017zibi.pdfIn PDF document text
    • https://rlinekabet1989.files.wordpress.com/2018/04/dawumeperesos-retsepty-prigotovleniia-miasa-goviadiny-v-folge-lexugowimos.pdfIn PDF document text
    • https://inpetfipen1982.files.wordpress.com/2018/04/bibizizuj-proiskhozhdenie-cheloveka-i-stanovlenie-obshchestva-test-10-klass-poxapufug.pdfIn PDF document text
    • https://hyapuwatchre1980.files.wordpress.com/2018/04/wuxivujonozubuw-test-s-dosrochnogo-ege-po-russkomu-iazyku-2017-s-otvetami-tasazir.pdfIn PDF document text
    • https://stanincorsend1983.files.wordpress.com/2018/04/sujadojuje-orkhideia-usloviia-soderzhaniia-kratko-kobogagozepaj.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5906/5906600_vopikreshebnikpoalgebre9klassmishustinazobasuf.pdfIn PDF document text
    • https://img1.liveinternet.ru/images/attach/d/0//5911/5911013_wexidesbornikresheniidliaegepomatematikedubi.pdfIn PDF document text
    • https://folkwalatan1981.files.wordpress.com/2018/04/jazolida-nastoika-iz-oblepikhi-v-domashnikh-usloviiakh-prostoi-retsept-s-vodkoi-kevibevotow.pdfIn PDF document text
    • https://emclenorpor1977.files.wordpress.com/2018/04/dibejef-shpargalki-dlia-ege-po-matematike-bazovyi-uroven-2016-petupatukiw.pdfIn PDF document text
    • https://prupaqrestio1977.files.wordpress.com/2018/04/pozizilor-svai-8-35t1-seriia-3-500-1-1-skachat-pasik.pdfIn PDF document text
    • https://incomlailing1985.files.wordpress.com/2018/04/vifupa-salat-iz-pekinskoi-kapusty-s-kopchenoi-kuritsei-retsept-s-foto-piladoximunit.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000a48b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA48B 1485561 bytes
SHA-256: 1718db8b7c6a44712dc1b3acee434281abf7527ebf6ea299260c2277eb5af585
font_00_sfnt_off000296df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x296DF 19760 bytes
SHA-256: ab3dc401914a6fc7a837a369ed1e2a533ae079e450588eea9711dec5f54fac6a
font_01_sfnt_off0002c3aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C3AA 17512 bytes
SHA-256: 7c9ff10b8541f43ac620da9a4b5c29efae581907bf4ac39c37adb869e31801d4