Malicious PDF — malware analysis report

Static analysis result for SHA-256 66a7f277ea78f1fb…

MALICIOUS

PDF

76.6 KB Created: 2021-04-04 05:44:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: ed0f21788582520fa423ea9c5041b4ff SHA-1: b13ae5e2fb6c867c323887dea5a9d3cabc73da7d SHA-256: 66a7f277ea78f1fb1d1414df446098e37834968894d7735a8b589913b8246142
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm designed to redirect users to potentially harmful content. The primary malicious URL identified is https://pelibifir.ru/strik?utm_term=clifford+the+big+red+dog+books+to+read+online, which is likely used to distribute further payloads or conduct phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=clifford+the+big+red+dog+books+to+read+online PDF link annotation
    • http://cadenalia.com/7169404255g6ui1.pdfIn PDF document text
    • http://hookup154.online/6388821090rvdq1.pdfIn PDF document text
    • https://cdn.sqhk.co/sedasolegov/4heidQd/nifinusal.pdfIn PDF document text
    • https://cdn.sqhk.co/tobijoge/gccpvzr/jogo_island_tribe_4_online_gratis.pdfIn PDF document text
    • https://cdn.sqhk.co/ributexovek/hIw2ohc/mu_jungle_fly_jay.pdfIn PDF document text
    • http://maewallace.com/bruleur_fioul_riello_40_g3_milleniumiksy1.pdfIn PDF document text
    • https://cdn.sqhk.co/jesupesiparu/ha7iJUk/boss_fight_studios_bucky_o_hare.pdfIn PDF document text
    • https://cdn.sqhk.co/vefusujix/jbieO0O/zelobusurijuwoboxogum.pdfIn PDF document text
    • https://cdn.sqhk.co/butuxolevu/jKbhggh/calla_lily_plant_care_outdoors.pdfIn PDF document text
    • http://trylait.club/30230279042jku2p.pdfIn PDF document text
    • https://cdn.sqhk.co/kajemuwasutu/jihdZ32/26377444995.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://7b4e975e-109f-4397-a679-93e438ff1453.filesusr.com/ugd/c33f71_c6256bbf163141a899c2eaeb4974df25.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xarojapi/report_acknowledgement_sample_internship.pdfIn PDF document text
    • https://3caa4030-7dd6-4be4-8a8a-e1981c45b3cd.filesusr.com/ugd/704988_6a8471b8ddbe4971bc4e5a3fedfb24e2.pdf?index=trueIn PDF document text
    • https://0298dc5a-7924-4276-8279-06452a5288da.filesusr.com/ugd/b30cf0_2b3317abd16b41c196f26ac4f9f468e5.pdf?index=trueIn PDF document text
    • https://2a6c20f5-091f-48b5-a5be-bf749919b1f6.filesusr.com/ugd/3794ad_a60a78ec5a57448a850cea458cf5d8b9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/babuxufarizuxur/xilukusokuta.pdfIn PDF document text
    • https://df6a9abb-74f3-47e1-b359-fe6d1019da36.filesusr.com/ugd/7921d2_ce14811d7b23447d87dc2c908f4d7c7c.pdf?index=trueIn PDF document text
    • https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_84931088595349ac8ab5041d6ee9e269.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eecb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEECB 5276 bytes
SHA-256: d31dfb5ea8e002571de1d06b5a832fa242fa244a57ddd88ba88bb678d5c2d215
font_01_sfnt_off000100b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100B3 10492 bytes
SHA-256: 8403872066af3dbb77eb0d80a55cde9e72218bf85dc752ff4d590f36f52b54e8