Malicious PDF — malware analysis report

Static analysis result for SHA-256 61f22b7501c94af1…

MALICIOUS

PDF

75.3 KB Created: 2021-03-18 10:11:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 0febea5c4aba113ba34714f3c9e948d6 SHA-1: 2f1216863df366f8a7cdf25d3ce94b1f543358e9 SHA-256: 61f22b7501c94af1225e8c3d4d164665fcec9c7bad65e5553b2a85f813c402f7
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, suggests a lure related to a 'family tree chart template', likely a pretext to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=family+tree+chart+template PDF link annotation
    • http://deutschebank-meine.com/apeman_h45_trail_camera_instruction_manuallc427.pdfIn PDF document text
    • http://tuvurebomiworo.scienceontheweb.net/diploma_applied_mathematics_1.pdfIn PDF document text
    • http://babysampler.com/pro-sumer_power_ii_ebookr6ire.pdfIn PDF document text
    • http://xsafak.com/9212793994803vnc.pdfIn PDF document text
    • http://bufezipuduxev.mywebcommunity.org/ateten_gmlek.pdfIn PDF document text
    • http://biniwitovo.mywebcommunity.org/42395559181.pdfIn PDF document text
    • http://gedirobidepud.scienceontheweb.net/56972684679.pdfIn PDF document text
    • http://loveantravel.xyz/how_to_make_balloon_animals3rmyn.pdfIn PDF document text
    • http://bestita.space/2891770353213hvf.pdfIn PDF document text
    • http://zexofezureza.iblogger.org/hungry_shark_evo_apk_android_oyun_club.pdfIn PDF document text
    • http://nowatora.22web.org/attendance_management_system_using_face_recognition_report.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wazotojemov/how_to_fix_ink_pad_epson_l110.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7fe852ac-860e-491c-9f99-ebcd61192612/wopovut.pdfIn PDF document text
    • http://saxarivoje.onlinewebshop.net/hogwarts_a_history.pdfIn PDF document text
    • http://rogofideb.onlinewebshop.net/taxorufigej.pdfIn PDF document text
    • https://s3.amazonaws.com/dixaleko/astera_ax3_manual.pdfIn PDF document text
    • http://zowofiz.myartsonline.com/75984897552.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48109182-8bd4-4b62-b116-d55581ad95ed/how_to_remember_the_atomic_mass_of_first_20_elements.pdfIn PDF document text
    • http://budezeja.rf.gd/nagejaluwirirekezuwoz.pdfIn PDF document text
    • https://s3.amazonaws.com/dopugaxelelema/kejajidobafivanalivogas.pdfIn PDF document text
    • http://lumosaneja.onlinewebshop.net/pes_manual_usmc_2018.pdfIn PDF document text
    • http://zopiselewanut.epizy.com/25410644750.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de1fd8a6-0a6e-48cd-84bc-15b008458ff4/how_to_install_sq8_mini_dv_camera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de36108c-dbf8-4777-9360-ed1739f2fda2/manekagafu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/077b1d07-13ee-4ad8-816e-c8b0dbb4d870/liftmaster_not_closing.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB33 5052 bytes
SHA-256: cfbbed75903a8a7fa5053f2ed06b79ce75c51cfcfe525e895a21b1dda565dff0
font_01_sfnt_off0000fc43.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC43 10524 bytes
SHA-256: 89b71fe0d9f3daafed7fb80d0d5377b0db331859c6f3d253b250d6e5ba921300