Malicious PDF — malware analysis report

Static analysis result for SHA-256 6002570998666845…

MALICIOUS

PDF

77.4 KB Created: 2021-05-24 17:10:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 6fbdecf4a7c6e1127aeec183673db78b SHA-1: 72a127143dcb114752aba3e7a3a24ddfb08d1b2e SHA-256: 60025709986668458c478c21d8b0bff41884571581ecf6de359cca90658b710b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to a link farm, indicating a phishing or SEO poisoning attempt. The primary malicious URL identified is 'https://baarspo.ru/strik?utm_term=how+to+install+centurion+d5+gate+motor', which is presented as a guide for installing gate motor hardware. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=how+to+install+centurion+d5+gate+motor PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4480884/normal_605501950a294.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403140/normal_603f2268baf77.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380090/normal_601a8548426e2.pdfIn PDF document text
    • https://segurawunazuzi.weebly.com/uploads/1/3/1/3/131381703/woraliwikefob.pdfIn PDF document text
    • https://gagegopered.weebly.com/uploads/1/3/4/8/134880179/gigodibotud_bulupixi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4467589/normal_5fc6764122a9e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4404500/normal_60088acb1cabb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459165/normal_600fb2291636c.pdfIn PDF document text
    • https://sarotokatot.weebly.com/uploads/1/3/2/6/132682281/26a88ad9165f179.pdfIn PDF document text
    • https://tovibebifenoge.weebly.com/uploads/1/3/2/6/132695438/4b6749.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4388065/normal_5fc92eb663178.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477864/normal_5fd7ae087f065.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wopari/astronomy_magazine_2019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf6cb186-b9c7-4a56-9bdd-5104a730c623/how_to_make_music_rhythm_game.pdfIn PDF document text
    • https://s3.amazonaws.com/lixisariwulo/68965702072.pdfIn PDF document text
    • https://s3.amazonaws.com/pirofopafu/painting_ideas_for_childrens_rooms.pdfIn PDF document text
    • https://s3.amazonaws.com/sefabe/nugget_ampas_tahu.pdfIn PDF document text
    • https://s3.amazonaws.com/vufuzewasi/english_vocabulary_quiz_questions_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f112563c-b51a-490f-9926-cdb7732176d3/54090357511.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a91aa2a0-6a4c-4b0b-a96a-bc166c68e13a/67255245325.pdfIn PDF document text
    • https://s3.amazonaws.com/mexesazaxasa/xevegosab.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f17f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF17F 5436 bytes
SHA-256: abe324de1c45467f231c3ca7abb72989aa00a325a7a26e3ec5d85489e719eafa
font_01_sfnt_off000103f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103F7 10628 bytes
SHA-256: cefe52f4a7637c0bea9011dc4a0bb70bbdf5736b46b2b9cf6e94ae4bf0c37faa