Malicious PDF — malware analysis report

Static analysis result for SHA-256 65480954d72bc303…

MALICIOUS

PDF

80.6 KB Created: 2021-05-15 02:25:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: d37f124613be1e7a8e9f8086e056ffe1 SHA-1: 01142b514d8b2f5b31acb72c45207cf6a29b3207 SHA-256: 65480954d72bc3032714ccd3b1ac11134504fa04fba892a93129bec9edfb7926
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, with a primary focus on directing users to 'https://golowaki.ru/strik?utm_term=letter+of+intent+nurse+residency+example', disguised as a relevant document. The PDF's structure and the presence of multiple external links suggest it is part of a link farm or phishing campaign designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=letter+of+intent+nurse+residency+example PDF link annotation
    • https://xugugizebe.weebly.com/uploads/1/3/1/4/131482894/5597920.pdfIn PDF document text
    • https://lisogawe.weebly.com/uploads/1/3/5/3/135312855/1180072.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448995/normal_6026d190d0be3.pdfIn PDF document text
    • https://sunitago.weebly.com/uploads/1/3/1/8/131856801/ca963c66503.pdfIn PDF document text
    • https://dinijituwit.weebly.com/uploads/1/3/1/6/131606252/2537812.pdfIn PDF document text
    • https://povurumupun.weebly.com/uploads/1/3/4/8/134884194/1871dc5e39bb3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4443624/normal_60502378f24f7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/48befedc-cd82-4d2b-9206-bdeac3824139/62257211717.pdfIn PDF document text
    • https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_c374774befdf4d0aa1a4a78ec5dab2cc.pdf?index=trueIn PDF document text
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_cca0fe129de641ae9d6a5f12a5258f1e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/eaef922f-6965-48e4-ac55-a714c1571370/what_is_prehistoric_art.pdfIn PDF document text
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_d488a4017cdb4dd48e7e25c2dba5085b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee5f8aa0-373f-4da8-b7bc-2996f2f15c0a/66822366286.pdfIn PDF document text
    • https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_29ce2472e6004b4990b611f6c3541824.pdf?index=trueIn PDF document text
    • https://6a9ecc2b-05c3-4056-8705-773ae6be8cdd.filesusr.com/ugd/7a359d_ae1b30af900342d28f651cb0c92b6c3b.pdf?index=trueIn PDF document text
    • https://9480ebe7-8096-4165-94d5-b35dd525e9f4.filesusr.com/ugd/07b43d_c7c813168e134f3c9d05db45a5660572.pdf?index=trueIn PDF document text
    • https://933afb0c-60ca-4ff4-ba38-e7c804ca925d.filesusr.com/ugd/941881_ffab60377ee34428ba06ff9a03db0f80.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f315.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF315 5412 bytes
SHA-256: bbff0c11482d0e8314944d3feae6fa3f1f2ef7350c2e2ab7e4ac90a97ac86478
font_01_sfnt_off00010574.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10574 1800 bytes
SHA-256: daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e
font_02_sfnt_off00010e02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E02 11416 bytes
SHA-256: 7c4f151f9e7858ca1f22db05bf4798c5a9e054bf4bf62374a6b1b9e438d8adde