Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b2344d25900cec7…

MALICIOUS

PDF

81.7 KB Created: 2021-06-07 05:52:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 83ba0942dddf57f7529fb096513311f4 SHA-1: e7e1df607c2d5b4cd4b064c485c8b8965c25f6fe SHA-256: 6b2344d25900cec7ebe0c5629f0151b7c4719cc30096793baadf603eb91ff560
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of embedded links, identified as a link farm, directing users to potentially malicious websites. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically flags a URL leading to known malicious infrastructure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=app+store+data++limit In PDF document text
    • https://wudemivezetuf.weebly.com/uploads/1/3/4/3/134318680/solasadigofixujikoju.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475203/normal_602b0a463db87.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4500692/normal_5ffe48f4a8e88.pdfIn PDF document text
    • https://xixedemawib.weebly.com/uploads/1/3/0/7/130738641/gadomafuvode.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464720/normal_6064ca0d96c43.pdfIn PDF document text
    • https://mitojebani.weebly.com/uploads/1/3/2/7/132711961/6260390.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476758/normal_600f8644374e2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459467/normal_6002aaab6541d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389101/normal_6055072c891d4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371814/normal_601d213eeb279.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490757/normal_606e381a98abc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387232/normal_5ffb7f597a745.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413236/normal_5fd822aa82b66.pdfIn PDF document text
    • https://gixakipero.weebly.com/uploads/1/3/1/4/131412713/legivi-getez-kaluxu-besunelemurolof.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/75d4751c-4d33-427a-9867-a4790035f939/61109312408.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/788065c3-89ba-47aa-b2cc-431c1ef9103d/73150544445.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b56c538c-0361-4d90-bfbb-0f066ef32365/7840088143.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d643fc3-55ed-4916-ba8b-0afb61307d9d/zuwumudemepuseze.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c657e70-a4ff-4ac4-8125-335ad436eaca/49159025754.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/95a5c549-ce85-48a6-96dd-6cc0fb1313e3/gravity_falls_saw_game_apk_android.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/535589bd-0f7d-42c8-a105-7d2aa3853967/42159834008.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/29489771-8384-47dc-b533-7d320b2a9bbe/mifaxoxapajebaduvu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/583f9080-1a7e-4e7c-9576-a17a5304842f/ccna_todd_lammle.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bedb03e-b161-44b7-ae09-c7ba22f06b24/xavutenamagadere.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/874a70d6-4a37-4472-8d26-896eef37ede6/63910179958.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100F3 5092 bytes
SHA-256: f5e1a4c1e86ce58a76eb4caeb568abdb68132ad4f8311cb59ebebc8e095de072
font_01_sfnt_off0001122b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1122B 10980 bytes
SHA-256: 3e182d390b546db72f7593dbcaf5bdf250d173452de50ec4b19149b729757769