Malicious PDF — malware analysis report

Static analysis result for SHA-256 63134b046d3b57ad…

MALICIOUS

PDF

102.7 KB Created: 2021-04-30 23:45:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 01f6d45f41071f40e8cb26705b758166 SHA-1: 7eda11522c9c720c8440f5a1ef9c345237f927b2 SHA-256: 63134b046d3b57ade9cfed24d90624613dbf1a39ed8e61deb79b512962956374
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO poisoning tactic. The ClamAV detection and ML classifier indicate malicious intent, likely phishing or malware distribution. The embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest the document's purpose is to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=fearless+mp3+song+download+mr+jatt PDF link annotation
    • http://ighelperscenter.com/918406371413ppgn.pdfIn PDF document text
    • http://perevozka.ru/propresenter_7_free_medias9dsv.pdfIn PDF document text
    • http://trelon.fun/pharmacotherapy_dipiro_10th_editionusobb.pdfIn PDF document text
    • http://mukumalatixuji.iblogger.org/aitken_spence_hotels_annual_report_2015.pdfIn PDF document text
    • http://sipoxamux.22web.org/kef_ls50_wireless_guide.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/cd71b7fc-d311-42c9-8193-4295115a5b69/vikekulutedoje.pdfIn PDF document text
    • https://s3.amazonaws.com/norozovijalu/dedomezodokubezureb.pdfIn PDF document text
    • https://s3.amazonaws.com/fojaxexino/bissell_powersteamer_pro_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a427e0c2-224c-4bd3-b247-03d99908deaf/gubifafujozapili.pdfIn PDF document text
    • https://s3.amazonaws.com/fofeguj/zidukulurazikagitawi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f44dc653-2e40-4ba7-99bc-6e8cdb9e99da/architecture_oculus_define.pdfIn PDF document text
    • https://s3.amazonaws.com/luramamelolem/define_debriefing_report.pdfIn PDF document text
    • https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_f1ceadacc2c2413fa0bfe81674d43b25.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fapaga/graco_travel_cot_music_instructions.pdfIn PDF document text
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_c69c7a6ada7249e28b8535382c13ae66.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/06026db5-c34b-475c-9262-6e8c6fa886c4/black_and_decker_18_volt_lithium_battery_charger.pdfIn PDF document text
    • https://30de3caf-c510-4ce9-8691-b8280dc60d9b.filesusr.com/ugd/4980ee_5a00ddea13974cb1b59b6308f9014de3.pdf?index=trueIn PDF document text
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_fa45e00f283847699365f5c7fc2370e9.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee4f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE4F 6508 bytes
SHA-256: af01be969e593b3dd735d83b06e8c91fff99a75c2d64d06d7b4c75f7fd14a8e1
font_01_sfnt_off0000fe56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE56 2880 bytes
SHA-256: 73e95823cac94483bc0534e7df5546d784cd8097fc2b0cd0989c02c37830543f
font_02_sfnt_off00010898.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10898 5308 bytes
SHA-256: 463977020b689af357f3544aba5f4e405c1d25ec3fc1a7604118c3ee8d786d01
font_03_sfnt_off00011aa4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AA4 7228 bytes
SHA-256: e43ff74e8329f1d085ead08bd23837bb8ae894c4a5c9331fd519c7808b3ff71e
font_04_sfnt_off000131b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x131B3 2588 bytes
SHA-256: a97ca08162d97cb9875df6bd2694da6d6dc04da65e45b2bb52fd3675b7d019b3
font_05_sfnt_off00013cf1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13CF1 12520 bytes
SHA-256: ae98fa2e126429d731405f73bdf36fe17a82b90ff28b63096510ce28a581c36b
font_06_sfnt_off00016702.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16702 16400 bytes
SHA-256: 8a2c257830d752b9db42df6adda505028570fa7c63abc04de192d83bd8822b76
font_07_sfnt_off00017d26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17D26 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2