Malicious PDF — malware analysis report

Static analysis result for SHA-256 67fbd659c3802801…

MALICIOUS

PDF

138.4 KB Created: 2021-03-19 00:09:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20
MD5: 019446f060b848440ba06fb0a0323915 SHA-1: 3144ce5cefcd01dad86d428c564d0be779519832 SHA-256: 67fbd659c38028011c2c79aa2dcad082c3b5de68a4925e941c2934d9424a5b52
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, employing a link farm to direct users to external resources. The presence of multiple external links, some hosted on disposable domains, and the ML classifier's high confidence score indicate a malicious intent to potentially deliver further payloads or lead users to phishing sites. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=toucher+pro+premium+1.5+apk PDF link annotation
    • https://cdn.sqhk.co/kopakezoxek/jgQPMp8/is_gold_mountain_casino_open.pdfIn PDF document text
    • http://openplafond.xyz/69010795343b1lzj.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4497359/normal_5fe249a8402f5.pdfIn PDF document text
    • http://lunesygets.xyz/dances_with_wolves_study_guide_answers40awp.pdfIn PDF document text
    • https://cdn.sqhk.co/rokijatu/bmhbYhb/kung_fu_tea_hours.pdfIn PDF document text
    • http://olipaka.xyz/nissan_x_trail_t30_towbar_wiring_instructions9o0xy.pdfIn PDF document text
    • https://cdn.sqhk.co/vizelupavew/cv6gex9/ma_youth_hockey_covid_guidelines.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4458827/normal_5fd03b499cc9f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365586/normal_604a81feaa4c1.pdfIn PDF document text
    • https://cdn.sqhk.co/kominepoli/Xhjlhgj/gazokuru.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://8d90b851-447f-4cfc-ac95-1e867b71b983.filesusr.com/ugd/b371d9_74291d53a4974227aa50049aa88d4bed.pdf?index=trueIn PDF document text
    • https://49550882-97ce-44db-a38b-6e383bb81149.filesusr.com/ugd/062c90_aa166826da644f9fb9f2b341628fa884.pdf?index=trueIn PDF document text
    • https://11484d69-1612-41b9-9199-165df1f08223.filesusr.com/ugd/e2f197_b24ff29c04294190a3fd7973eea4de1e.pdf?index=trueIn PDF document text
    • https://f9cb7010-568c-45d0-b0a5-7bd630b60272.filesusr.com/ugd/b10ea2_697b460f1e5140d1ac319715b1f51b0e.pdf?index=trueIn PDF document text
    • https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_22787155b6b74632aa17a2e23090a06e.pdf?index=trueIn PDF document text
    • https://b23183eb-b2e5-455e-bc25-91fac1efd10f.filesusr.com/ugd/cc14e4_a8310e4067d348f3be84dfecd7d5274d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa555d25-4c42-4eb9-ac11-13b5499d5828/onn_wireless_mouse_ona19ho046_driver.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa85d125-71a3-4f8f-8bb7-1a11b0cfc042/kuvomukapakekevipil.pdfIn PDF document text
    • https://57933e30-1e86-4cbe-ad2b-777cb72f9932.filesusr.com/ugd/235f1a_74504d230aac4202a3f34d3fad68634c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d390c65-c5c9-4501-9485-e76832829a79/melixa.pdfIn PDF document text
    • https://625f08e2-3d8e-45b5-8e8c-b95d001c5c7c.filesusr.com/ugd/d94ae5_d95c64e1c9694c439bd5e162c38496be.pdf?index=trueIn PDF document text
    • https://8271b8e8-1520-4b18-8785-2fafc8cd33e6.filesusr.com/ugd/efc97f_de218a3f973d4fd8b0f6d77a1d3785a2.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001ec57.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EC57 18916 bytes
SHA-256: cd030c71cc7b7076949123fd6bcbc5ae93f056219486040ca71e0c6a1636f141
font_00_sfnt_off0001a527.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A527 2960 bytes
SHA-256: 4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac
font_01_sfnt_off0001af97.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AF97 4880 bytes
SHA-256: 257fb24ac4f4cd0e3185f4e983780f91d50c7d52c338e58ed3faec9d471be9f0
font_02_sfnt_off0001c02d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C02D 13000 bytes
SHA-256: 4bc31e08008e49ee1082a009a91f2a7228b41a1db583493fd4a604baaeb92d1e
font_04_sfnt_off00020af1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x20AF1 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34

Open this report in the interactive analyzer, or submit your own file for analysis.